The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog EntryAadhaar Act and its Non-compliance with Data Protection Law in India
https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
<b>This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</b>
<p> </p>
<h4>Download the file: <a href="https://cis-india.org/internet-governance/blog/aadhaar-act-43a-it-rules" class="internal-link">PDF</a>.</h4>
<hr />
<p style="text-align: justify;">Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha <a name="_ftnref1"></a> . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.</p>
<p style="text-align: justify;">In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("<strong>IT Act</strong> ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("<strong>IT Rules</strong>"). Section 43A of the IT Act, 2000 <a name="_ftnref2"></a> holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.</p>
<p style="text-align: justify;">Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, <a name="_ftnref3"></a> could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.</p>
<p style="text-align: justify;">In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.</p>
<h3>1. Compensation and Penalty</h3>
<p style="text-align: justify;"><strong>Section 43A:</strong> Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.</p>
<p style="text-align: justify;"><strong>Aadhaar</strong> <strong>Act :</strong> Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.</p>
<ul style="text-align: justify;">
<li>Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI. </li>
<li>Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository. </li>
<li>Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li></ul>
<p style="text-align: justify;">Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.</p>
<h3>2. Privacy Policy</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.</p>
<p style="text-align: justify;"><strong>Implications:</strong> Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.</p>
<h3>3. Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act: </strong> The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).</p>
<p style="text-align: justify;"><strong>Implications:</strong> If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.</p>
<h3>4. Collection Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.</p>
<h3>5. Notice</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:</p>
<ul style="text-align: justify;">
<li>The fact that information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information</li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li></ul>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.</p>
<h3>6. Retention Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.</p>
<h3>7. Purpose Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p style="text-align: justify;"><strong>Aadhaar Act<a name="move447203643"></a></strong> Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.</p>
<p style="text-align: justify;"><a name="move4472036436"></a> Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<h3>8. Right to Access and Correct</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.</p>
<h3>9. Right to 'Opt Out' and Withdraw Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.</p>
<h3>10. Grievance Officer</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.</p>
<p style="text-align: justify;"><strong>Aadhaar Act</strong>: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.</p>
<h3>11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.</p>
<h3>12. Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.</p>
<h3>13. Security of Information</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.</p>
<h3>Implications of the Differences for Body Corporates in Aadhaar Ecosystem</h3>
<p style="text-align: justify;">An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other. <a name="move446519928"></a></p>
<p style="text-align: justify;">Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.</p>
<h3>Appendix I</h3>
<p style="text-align: justify;">The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:</p>
<p style="text-align: justify;"><strong>i. Opt-out clause:</strong> A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.</p>
<p style="text-align: justify;"><strong>ii. Voluntary:</strong> To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.</p>
<p style="text-align: justify;"><strong>iii.</strong> Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.</p>
<p style="text-align: justify;"><strong>iv.</strong> Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.</p>
<p style="text-align: justify;"><strong>v. Oversight Committee:</strong> The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.</p>
<p><strong>Sources:</strong></p>
<ul>
<li> <a href="http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-bill-to-lok-sabha-with-oppn-amendments/"> http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/ </a> </li>
<li> <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/"> http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/</a><br /><br /></li></ul>
<h3>Appendix II - Section 43A: Compensation for Failure to Protect Data</h3>
<p style="text-align: justify;">Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.</p>
<p style="text-align: justify;">For the purposes of this section:</p>
<ul>
<li>"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</li>
<li>"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;</li>
<li>"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.<br /><br /></li></ul>
<p style="text-align: justify;">The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals <em>engaged in commercial or professional activities</em>"</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india'>https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india</a>
</p>
No publishervanyaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-18T11:43:02ZBlog EntryFAQ on the Aadhaar Project and the Bill
https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq
<b>This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy. </b>
<p> </p>
<h4>To comment on and/or download the file, click <a href="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/edit?usp=sharing" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/pub?embedded=true" height="500" width="100%"></iframe>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq'>https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq</a>
</p>
No publisherElonnai Hickok, Vanya Rakesh, and Vipul KharbandaUIDPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-04-13T14:06:43ZBlog EntryAadhaar Bill 2016 Evaluated against the National Privacy Principles
https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles
<b>In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png" alt="Aadhaar Bill 2016 Evaluated against the National Privacy Principles" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles'>https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:38:34ZBlog EntryVulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016
https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016
<b>In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>Credits:</strong> The illustration uses the following icons from The Noun Project - <a href="https://thenounproject.com/term/fingerprint/231547/">Thumpbrint</a> created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, <a href="https://thenounproject.com/term/copy/377777/">Copy</a> created by Mahdi Ehsaei.</p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png" alt="Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016'>https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:33:53ZBlog EntrySalient Points in the Aadhaar Bill and Concerns
https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns
<b>Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill. </b>
<p id="docs-internal-guid-7301bf10-976a-ed8c-7f3d-7dde76418a24" dir="ltr"><strong>Use of Aadhaar Number</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul id="docs-internal-guid-7301bf10-9771-2472-c5e8-991b7fefebd0"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)</p>
</li></ul>
<em>Concerns:</em>
<ul id="docs-internal-guid-7301bf10-9773-5f01-28d6-bc08ffea2788"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.</p>
</li></ul>
<p dir="ltr"><strong><br /></strong></p>
<p dir="ltr"><strong>Enrollment Process</strong></p>
<strong>
</strong>
<p dir="ltr"><em>What the Bill says:</em></p>
<em>
</em>
<ul id="docs-internal-guid-7301bf10-9772-9fda-b2a1-8587dbdd816b"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Authentication Process</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:</p>
</li>
<ul><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of sharing of information at the enrollment stage or authentication stage.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of any use, disclosure, or retention of their information prescribed by the Act.</p>
</li></ul>
</ul>
<p> </p>
<p dir="ltr"><strong>Security</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Confidentiality</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Disclosure</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Power of UIDAI to make rules and regulations</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<p dir="ltr">The matters on which the UIDAI may frame rules include:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The process of collecting information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Verification of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Individual access to information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sharing and disclosure of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Alteration of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Request and response for authentication,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining use of Aadhaar numbers,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining privacy and security processes,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Specifying processes relating to data management, security protocols and other technology safeguards under this Act</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Establishing redressal mechanisms.</p>
</li></ul>
<p dir="ltr"><em>Concerns</em>:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.</p>
</li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns'>https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns</a>
</p>
No publisherAmber Sinha and Elonnai HickokUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-21T04:37:48ZBlog EntryPratap Vikram Singh - Why Aadhaar is Baseless?
https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless
<b>This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.</b>
<p> </p>
<p><em>Cross-posted from <a class="external-link" href="http://www.governancenow.com/news/regular-story/baseless-aadhaar">Governance Now</a>.</em></p>
<hr />
<p style="text-align: justify;">It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.</p>
<p style="text-align: justify;">When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.</p>
<p style="text-align: justify;">However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.</p>
<p style="text-align: justify;">The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.</p>
<p style="text-align: justify;">The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.</p>
<h3>Odd Drives the Bill</h3>
<p style="text-align: justify;">While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.</p>
<p style="text-align: justify;">The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”</p>
<p style="text-align: justify;">Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.</p>
<p style="text-align: justify;">“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.</p>
<h3>Who Defines National Security?</h3>
<p style="text-align: justify;">According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.</p>
<p style="text-align: justify;">Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”</p>
<p style="text-align: justify;">Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.</p>
<p style="text-align: justify;">Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”</p>
<p style="text-align: justify;">Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.</p>
<p style="text-align: justify;">In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”</p>
<p style="text-align: justify;">In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.</p>
<h3>Subsidy-Aadhaar Linkage</h3>
<p style="text-align: justify;">The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”</p>
<p style="text-align: justify;">According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”</p>
<p style="text-align: justify;">According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.</p>
<p style="text-align: justify;">Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”</p>
<p style="text-align: justify;">So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless'>https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-02T05:31:30ZNews ItemList of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament
https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016
<b>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and
Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.</b>
<p> </p>
<h4>Download the submission letter: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_Aadhaar-Bill-2016_List-of-Recommendations_2016.03.16.pdf">PDF</a>.</h4>
<p> </p>
<h3>Text of the Submission</h3>
<p>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:</p>
<ul><li><strong>Identification without Consent:</strong> Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.<br /><br /></li>
<li><strong>Fallible Technology:</strong> The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. <strong>[1]</strong></li></ul>
<p>Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:</p>
<ol><li><strong>Implement the Recommendations of the Shah and Sinha Committees:</strong> The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah <strong>[2]</strong> and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha <strong>[3]</strong> have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.<br /><br /></li>
<li><strong>Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory:</strong> Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.<br /><br /></li>
<li><strong>Vulnerabilities in the Enrolment Process:</strong> The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.<br /><br /></li>
<li><strong>Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens:</strong> The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.<br /><br /></li>
<li><strong>Prohibit Central Storage of Biometrics Data:</strong> The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.<br /><br /></li>
<li><strong>Chain of Trust Model and Audit Trail:</strong> As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.<br /><br /></li>
<li><strong>Rights of Residents:</strong> There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.<br /><br /></li>
<li><strong>Establish Appropriate Oversight Mechanisms:</strong> Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.<br /><br /></li>
<li><strong>Establish Grievance Redressal and Review Mechanisms:</strong> Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.</li></ol>
<p> </p>
<h3>Endnotes</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.">http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf</a>.</p>
<p><strong>[2]</strong> See: <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf">http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016'>https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016</a>
</p>
No publisherAmber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya RakeshUIDBig DataPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-03-21T08:50:09ZBlog EntryPress Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!
https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory
<b>We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the
purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. </b>
<p> </p>
<p>Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall
remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.</p>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and
alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.</p>
<p>Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court
order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.</p>
<p>These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory'>https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory</a>
</p>
No publisherAmber SinhaUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:11:32ZBlog EntryPress Release, March 11, 2016: The Law cannot Fix what Technology has Broken!
https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken
<b>We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</b>
<p> </p>
<p>The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p>The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy,
benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the
Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.</p>
<h3>Key Issues</h3>
<h4>1. Identification without Consent</h4>
<p>Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the
right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.</p>
<h4>2. Fallible Technology</h4>
<p>The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.</p>
<p>We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with
pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.</p>
<p>At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. <strong>[1]</strong></p>
<h3>Endnote</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process">http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process</a></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken'>https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken</a>
</p>
No publisherJapreet Grewal and Sunil AbrahamUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:10:40ZBlog EntryAn Urgent Need for the Right to Privacy
https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy
<b>Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.</b>
<p> </p>
<h4><a href="http://goo.gl/forms/hw4huFcc4b" target="_blank">Read and sign the open letter.</a></h4>
<p> </p>
<h2>Text of the Open Letter</h2>
<p>As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.</p>
<p>Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.</p>
<p>In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.</p>
<p>Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.</p>
<p>We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.</p>
<p>Signatories:</p>
<ul><li>Amber Sinha, the Centre for Internet and Society</li>
<li>Japreet Grewal, the Centre for Internet and Society</li>
<li>Joshita Pai, Centre for Communication Governance, National Law University</li>
<li>Raman Jit Singh Chima, Access Now</li>
<li>Sarvjeet Singh, Centre for Communication Governance, National Law University</li>
<li>Sumandro Chattapadhyay, the Centre for Internet and Society</li>
<li>Sunil Abraham, the Centre for Internet and Society</li>
<li>Vanya Rakesh, the Centre for Internet and Society</li></ul>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy'>https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy</a>
</p>
No publishersumandroUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-17T07:40:12ZBlog EntryThe New Aadhaar Bill in Plain English
https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english
<b>We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.
</b>
<h2 id="docs-internal-guid-4528559b-63ee-ea8a-5fc7-ff5b32b069f6" dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016</h2>
<p> </p>
<p>Chapter I. PRELIMINARY</p>
<p> </p>
<p dir="ltr">Section 1</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will be applicable in whole of India (except the state of Jammu and Kashmir).</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will become applicable on a date to be notified by the Central Government.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 2</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number” is the identification number issued to an individual under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number holder” is the person who has been given an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“benefit” means any relief or payment which may be notified by the Central Government;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Chairperson” means the Chairperson of the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Member” includes the Chairperson and Member of the Authority appointed under section 12;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“prescribed” means prescribed by rules made by the Central Government under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“regulations” means the regulations made by the UIDAI under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“service” means any facility or assistance provided by the Central Government in any form;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter II. ENROLMENT</h5>
<p> </p>
<p dir="ltr">Section 3</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every resident is entitled to get an Aadhaar number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">At the time of enrollment, the enrolling agency will inform the individual of the following details—</p>
</li>
<ol><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">how their information will be used;</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">what type of entities the information will be shared with; and</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr"> that they have a right to see their information and also tell them how they can see their information.</p>
</li></ol>
<li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 4</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 5</p>
<p dir="ltr">The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.</p>
<p> </p>
<p dir="ltr">Section 6</p>
<p dir="ltr">The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.</p>
<p> </p>
<h5 dir="ltr">Chapter III. AUTHENTICATION</h5>
<p> </p>
<p dir="ltr">Section 7</p>
<p dir="ltr">As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.</p>
<p> </p>
<p dir="ltr">Section 8</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 9</p>
<p dir="ltr">The Aadhaar number or its authentication will not be a proof of citizenship or domicile.</p>
<p> </p>
<p dir="ltr">Section 10</p>
<p dir="ltr">The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.</p>
<h5 dir="ltr"><br class="kix-line-break" />Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA</h5>
<p dir="ltr"><br class="kix-line-break" />Section 11</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The head office of the UIDAI will be in New Delhi.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may establish its offices at other places in India.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 12</p>
<p dir="ltr">The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 13</p>
<p dir="ltr">The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 14</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and Members will take an oath of office and of secrecy.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the Members and Chairperson will be prescribed under the government. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 15</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Central Government may remove a Chairperson or Member, who—<br class="kix-line-break" />(a) has gone bankrupt; <br class="kix-line-break" />(b) is physically or mentally unable to do his/her job;<br class="kix-line-break" />(c) has been convicted of an offence involving moral turpitude;<br class="kix-line-break" />(d) has a financial conflict of interest in performing his/her functions; or<br class="kix-line-break" />(e) has abused his/her position so that the government needs to remove him/her in public interest.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 16</p>
<p dir="ltr">An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 17</p>
<p dir="ltr">The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 18</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will have administrative control over the officers and other employees of the Authority.</p>
</li></ol>
<p dir="ltr"><br class="kix-line-break" />Section 19</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 20</p>
<p dir="ltr">No actions or proceeding of the UIDAI will become invalid merely because of—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any vacancy in, or any defect in the constitution of, the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any defect in the appointment of a person as Chairperson or Member of the Authority; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any irregularity in the procedure of the Authority not affecting the merits of the case.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 21</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 22.</p>
<p dir="ltr">Once the UIDAI is establishment—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 23</p>
<p dir="ltr">The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">collecting demographic information and biometric information from people seeking Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing of one or more entities to operate the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">generating and assigning Aadhaar numbers to individuals;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">performing authentication of Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">maintaining and updating the information of individuals in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">omitting and deactivating an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">establishing, operating and maintaining of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">sharing the information of Aadhaar number holders;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying processes relating to data management, security protocols and other technology safeguards under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing committees necessary to assist the Authority in discharge of its functions;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">promoting research and development for advancement in biometrics and related areas;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">making and specifying policies and practices for Registrars, enrolling agencies and other service providers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">setting up facilitation centres and grievance redressal mechanisms;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">other powers and functions as prescribed.</p>
</li></ol>
<p dir="ltr">The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h5 dir="ltr">Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT</h5>
<p> </p>
<p dir="ltr">Section 24</p>
<p dir="ltr">The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.</p>
<p> </p>
<p dir="ltr">Section 25</p>
<p dir="ltr">Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India</p>
<p> </p>
<p dir="ltr">Section 26</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 27</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The copy of the annual report will be laid before both houses of Parliament by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VI. PROTECTION OF INFORMATION</h5>
<p> </p>
<p dir="ltr">Section 28</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will ensure the security and confidentiality of identity information and authentication records.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 29</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Aadhaar numbers or core biometric information will not be made public except as specified by regulations.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 30</p>
<p dir="ltr">All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.</p>
<p> </p>
<p dir="ltr">Section 31</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The identity information in the CIDR will not be altered, except as provided in this Act.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 32</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every Aadhaar number holder may obtain his authentication record as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will not collect, keep or maintain any information about the purpose of authentication.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 33</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VII. OFFENCES AND PENALTIES</h5>
<p> </p>
<p dir="ltr">Section 34</p>
<p dir="ltr">Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 35</p>
<p dir="ltr">Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 36</p>
<p dir="ltr">Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 37</p>
<p dir="ltr">Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 38</p>
<p dir="ltr">The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">accessing or securing access to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">downloading, copying or extracting any data from the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">introducing or causing any virus or other contaminant into the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">damaging or causing damage to the data in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">disrupting or causing disruption to access to CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">causing denial of access to an authorised to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">revealing information in breach of (D) in Section 28, or Section 29;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">destruction, deletion or alteration of any files in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">stealing, destruction, concealment or alteration of any source code used by the UIDAI.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 39</p>
<p dir="ltr">Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 40</p>
<p dir="ltr">Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p dir="ltr"><br class="kix-line-break" />Section 41</p>
<p dir="ltr">Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 42</p>
<p dir="ltr">Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 43</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 44</p>
<p dir="ltr">This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.</p>
<p> </p>
<p dir="ltr">Section 45</p>
<p dir="ltr">Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.</p>
<p> </p>
<p dir="ltr">Section 46</p>
<p dir="ltr">Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.</p>
<p> </p>
<p dir="ltr">Section 47</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VIII. MISCELLANEOUS</h5>
<p> </p>
<p dir="ltr">Section 48</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Powers, functions and duties will be performed by person(s) authorised by the President.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Properties controlled and owned by UIDAI will vest in the Central Government.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 49</p>
<p dir="ltr">Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.</p>
<p> </p>
<p dir="ltr">Section 50</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be given an opportunity to express views before direction is given.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 51</p>
<p dir="ltr">The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.</p>
<p> </p>
<p dir="ltr">Section 52</p>
<p dir="ltr">No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.</p>
<p> </p>
<p dir="ltr">Section 53</p>
<p dir="ltr">The Central Government has the power to makes Rules for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 54</p>
<p dir="ltr">UIDAI has the power to make regulations for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 55</p>
<p dir="ltr">Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.</p>
<p> </p>
<p dir="ltr">Section 56</p>
<p dir="ltr">Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.</p>
<p> </p>
<p dir="ltr">Section 57</p>
<p dir="ltr">This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<p> </p>
<p dir="ltr">Section 58</p>
<p style="text-align: justify;" dir="ltr">The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.</p>
<p> </p>
<p dir="ltr">Section 59</p>
<p style="text-align: justify;" dir="ltr">Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.</p>
<p> </p>
<h5 dir="ltr">STATEMENT OF OBJECTS AND REASONS</h5>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This has proved to be a major hindrance for successful implementation of these programmes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.</p>
</li></ol>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english'>https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english</a>
</p>
No publisherAmber Sinha, Vanya Rakesh and Vipul KharbandaUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-11T04:41:38ZBlog EntryAadhaar Bill fails to incorporate suggestions by the Standing Committee
https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee
<b>In 2011, a standing committee report led by Yashwant Sinha had been scathing in its indictments of the Aadhaar BIll introduced by the UPA government. Five years later, the NDA government has introduced a new bill which is a rehash of the same. I look at the concerns raised by the committee report, none of which have been addressed by the new bill.
</b>
<p id="docs-internal-guid-0c1d0148-5959-8221-80f0-984c1f109411" dir="ltr">The article was published by <a class="external-link" href="http://thewire.in/2016/03/10/aadhaar-bill-fails-to-incorporate-standing-committees-suggestions-24433/">The Wire</a><a class="external-link" href="https://globalvoices.org/2016/02/09/a-good-day-for-the-internet-everywhere-india-bans-differential-data-pricing/"> </a>on March 10, 2016</p>
<p dir="ltr">In December, 2010, the UPA Government introduced the National Identification Authority of India Bill, 2010 in the Parliament. It was subsequently referred to a Standing Committee on Finance by the Speaker of Lok Sabha under Rule 331E of the the Rules of Procedure and Conduct of Business in Lok Sabha. This Committee, headed by BJP leader Yashwant Sinha took evidence from the Minister of Planning and the UIDAI from the government, as well as seeking the view of parties such as the National Human Rights Commission, Indian Banks Association and researchers like Dr Reetika Khera and Dr. Usha Ramanathan. In 2011, having heard from various parties and considering the concerns and apprehensions about the UID scheme, the Committee deemed the bill unacceptable and suggested a re-consideration of the the UID scheme as well as the draft legislation.</p>
<p dir="ltr">The Aadhaar programme has so far been implemented under the Unique Identification Authority of India, a Central Government agency created through an executive order. This programme has been shrouded in controversy over issues of privacy and security resulting in a Public Interest Litigation filed by Judge Puttaswamy in the Supreme Court. While the BJP had criticised the project as well as the draft legislation when it was in opposition, once it came to power and particularly, after it launched various welfare schemes like Digital India and Jan Dhan Yojna, it decided to continue with it and use Aadhaar as the identification technology for these projects. In the last year, there have been orders passed by the Supreme Court which prohibited making Aadhaar mandatory for availing services. One of the questions that the government has had to answer both inside and outside the court on the UID project is the lack of a legislative mandate for a project of this size. About five years later, the new BJP led government has come back with a rehash of the same old draft, and no comments made by the standing committee have been taken into account.</p>
<p dir="ltr">The Standing Committee on the old bill had taken great exception to the continued collection of data and issuance of Aadhaar numbers, while the Bill was pending in the Parliament. The report said that the implementation of the provisions of the Bill and continuing to incur expenditure from the exchequer was a circumvention of the prerogative powers of the Parliament. However, the project has continued without abeyance since its inception in 2009. I am listing below some of the issues that the Committee identified with the UID project and draft legislation, none of which have been addressed in current Bill.</p>
<p dir="ltr">One of the primary arguments made by proponents of Aadhaar has been that it would be useful in providing services to marginalized sections of the society who currently do not have identification cards and consequently, are not able to receive state sponsored services, benefits and subsidies. The report points that the project would not be able to achieve this as no statistical data on the marginalized sections of the society are being used to by UIDAI to provide coverage to them. The introducer systems which was supposed to provide Aadhaar numbers to those without any form of identification, has been used to enroll only 0.03% of the total number of people registered. Further, the <a href="http://uidai.gov.in/UID_PDF/Committees/Biometrics_Standards_Committee_report.pdf">Biometrics Standards Committee of UIDAI</a> has itself acknowledged the issues caused due to a high number of manual laborers in India which would lead to sub-optimal fingerprint scans. A <a href="http://www.4gid.com/De-dup-complexity%20unique%20ID%20context.pdf">report by 4G Identity Solutions</a> estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. In this manner, the project could actually end up excluding more people.</p>
<p dir="ltr">The Report also pointed to a lack of cost-benefit analysis done before going ahead with scheme of this scale. It makes a reference to the <a href="http://eprints.lse.ac.uk/684/1/identityreport.pdf">report</a> by the London School of Economics on the UK Identity Project which was shelved due to a) huge costs involved in the project, b) the complexity of the exercise and unavailability of reliable, safe and tested technology, c) risks to security and safety of registrants, d) security measures at a scale that will result in substantially higher implementation and operational costs and e) extreme dangers to rights of registrants and public interest. The Committee Report insisted that such global experiences remained relevant to the UID project and need to be considered. However, the new Bill has not been drafted with a view to address any of these issues.</p>
<p dir="ltr">The Committee comes down heavily on the irregularities in data collection by the UIDAI. They raise doubts about the ability of the Registrars to effectively verify the registrants and a lack of any security audit mechanisms that could identify issues in enrollment. Pointing to the news reports about irregularities in the process being followed by the Registrars appointed by the UIDAI, the Committee deems the MoUs signed between the UIDAI and the Registrars as toothless. The involvement of private parties has been under question already with many questions being raised over the lack of appropriate safeguards in the contracts with the private contractors.</p>
<span id="docs-internal-guid-0c1d0148-595b-32fa-49d2-8f6a347a4c00">Perhaps the most significant observation of the Committee was that any scheme that facilitates creation of such a massive database of personal information of the people of the country and its linkage with other databases should be preceded by a comprehensive data protection law. By stating this, the Committee has acknowledged that in the absence of a privacy law which governs the collection, use and storage of the personal data, the UID project will lead to abuse, surveillance and profiling of individuals. It makes a reference to the Privacy Bill which is still at only the draft stage. The current data protection framework in the Section 43A rules under the Information Technology Act, 2000 are woefully inadequate and far too limited in their scope. While there are some protection built into Chapter VI of the new bill, these are nowhere as comprehensive as the ones articulated in the Privacy Bill. Additionally, these protections are subject to broad exceptions which could significantly dilute their impact.</span>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee'>https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee</a>
</p>
No publisheramberUIDAadhaarInternet GovernancePrivacy2016-03-10T15:58:57ZBlog EntryAadhaar Bill 2016 & NIAI Bill 2010 - Comparing the Texts
https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison
<b>This is a quick comparison of the texts of the Aadhaar Bill 2016 and the National Identification Authority of India Bill 2010. The new sections in the former are highlighed, and the deleted sections (that were part of the latter) are struck out.</b>
<p> </p>
<iframe src="http://cis-india.github.io/aadhaar-bill-2016/" frameborder="0" height="500px" width="100%"> </iframe>
<p> </p>
<p>Source: <a href="http://cis-india.github.io/aadhaar-bill-2016/">http://cis-india.github.io/aadhaar-bill-2016/</a></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison'>https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison</a>
</p>
No publishersumandroUIDAadhaarBig DataPrivacy2016-03-09T11:25:01ZBlog EntryA comparison of the 2016 Aadhaar Bill, and the 2010 NIDAI Bill
https://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill
<b>This blog post does a clause-by-clause comparison of the provisions of National Identification Authority of India Bill, 2010 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
</b>
<ul id="docs-internal-guid-400d9138-596b-bafd-2e9b-46f6530d6e51"><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Title</h3>
</li></ul>
<p style="text-align: justify;" dir="ltr">2010 Bill: The Bill was titled as the National Identification Authority of India Bill, 2010.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The Bill has been titled as the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Purpose/Object Clause</h3>
</li></ul>
<p style="text-align: justify;" dir="ltr">2010 Bill: The purpose of Bill was stated to provide for the establishment of the National Identification Authority of India to issue identification numbers to residents of India as well as certain other classes of individuals , to facilitate access to benefits and services, to which they are entitled.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The purpose of this Bill has been stated to ensure targeted delivery of subsidies, benefits and services to residents of India in an efficient and transparent manner by assigning unique identity numbers to such individuals.</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Definitions</h3>
</li></ul>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Authentication” was defined as the process in which the Aadhaar number, along with other attributes (including biometrics) are submitted to the Central Identities Data Repository for verification, done on the basis of information, data or documents available with the Repository.</p>
2016 Bill : “Authentication” has been defined as the process by which the Aadhaar number, along with demographic or biometric information of an individual is submitted to the Central Identities Data Repository for the purpose of verification, done on the basis of the correctness of (or lack of) information available with it.</li></ol>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Authentication Record” was not defined in the previous Bill.</p>
2016 Bill : “Authentication Record” has been defined under clause 2(d) as the record of the time of authentication, the identity of the entity requesting such record and the response provided by the Authority for this purpose.
</li></ol>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Authority” was defined under clause 2(d) as National Identification Authority of India established under provisions of the Bill. </p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> 2016 Bill :“Authority” has been defined under clause 2(e) as Unique Identification Authority of India established under provisions of the Bill.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Benefit” was not defined in the previous Bill. </p>
2016 Bill : “Benefit” has been defined under clause 2(f) as any advantage, gift, reward, relief, or payment (either in cash or kind), or such other benefits, which is provided to an
</li></ol>
<p style="text-align: justify;" dir="ltr">individual/ a group of individuals as notified by the Central Government.</p>
<p> </p>
<ol start="5"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Biometric Information” was defined under clause 2(e) as a set of biological attributes of an individual as may be specified by regulations.</p>
2016 Bill : “Biometric Information” has been defined under clause 2(g) as biological attributes of an individual like photograph, fingerprint, Iris scan, or other such biological
</li></ol>
<p style="text-align: justify;" dir="ltr">attributes as may be specified by regulations.</p>
<p> </p>
<ol start="6"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Core Biometric Information” was not defined in the previous Bill.</p>
2016 Bill : “Core Biometric Information” has been defined under clause 2(j) as biological attribute of an individual like fingerprint, Iris scan, or such other biological attribute as
</li></ol>
<p style="text-align: justify;" dir="ltr">may be specified by regulations.</p>
<p> </p>
<ol start="7"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Demographic Information” was defined under clause 2(h) as information specified in the regulations for the purpose of issuing an Aadhaar number, like information relating to the name, age, gender and address of an individual (other than race, religion, caste, tribe, ethnicity, language, income or health), and such other information.</p>
2016 Bill : “Demographic Information” has been defined under clause 2(k) as information of an individual as may be specified by regulations for the purpose of issuing an Aadhaar number like information relating to the name, date of birth, address and other relevant information, excluding race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history of an individual.
</li></ol>
<p> </p>
<ol start="8"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Enrolling Agency” was defined under clause 2(i) as an agency appointed by the Authority or the Registrars for collecting information under the Act.</p>
2016 Bill : “Enrolling Agency” has been defined under clause 2(l) as an agency appointed by the Authority or a Registrar for collecting demographic and biometric information of individuals under this Act.
</li></ol>
<p> </p>
<ol start="9"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Member” was defined under clause 2(l) to include the Chairperson and a part-time Member of the Authority appointed under the provisions of the Bill.</p>
2016 Bill : “Member” has been defined under clause 2(o) to include the Chairperson and Member of the Authority appointed under the provisions of the Bill.
</li></ol>
<p> </p>
<ol start="10"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Records of Entitlement” was not defined under the previous Bill.</p>
2016 Bill : “Records of Entitlement” has been defined under clause 2(r) as the records of benefits, subsidies or services provided to, or availed by, any individual under any programme.
</li></ol>
<p> </p>
<ol start="11"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Requesting Entity” was not defined under the previous Bill.</p>
2016 Bill : “Requesting Entity” has been defined under clause 2(u) as an agency or person that submits information of an individual comprising of the Aadhaar number and</li></ol>
<p style="text-align: justify;" dir="ltr">demographic or biometric information to the Central Identities Data Repository for the purpose of authentication.</p>
<p> </p>
<ol start="12"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Resident” was defined under clause 2(q) as an individual usually residing in a village, rural area, town, ward, demarcated area (demarcated by the Registrar General of Citizen Registration) within a ward in a town or urban area in India.</p>
2016 Bill : “Resident” has been defined under clause 2(v) as an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.
</li></ol>
<p> </p>
<ol start="13"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Review Committee” was defined under clause 2(r) as the Identification Review Committee constituted under the provisions of the Bill.</p>
2016 Bill : “Review Committee” has not been defined under the Bill.
</li></ol>
<p> </p>
<ol start="14"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Service” was not defined in the previous Bill.</p>
2016 Bill : “Service” has been defined under clause 2 (w) as any provision, facility, utility or any other assistance provided in any form to an individual or a group of individuals as may be notified by the Central Government.
</li></ol>
<p> </p>
<ol start="15"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">2010 Bill: “Subsidy” was not defined in the previous Bill.</p>
2016 Bill : “Subsidy” has been defined under clause 2(x) as any form of aid, support, grant, subvention, or appropriation (either in cash or kind), as may be notified by the Central Government, given to an individual or a group of individuals.
</li></ol>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Enrolment</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Aadhaar Numbers</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2016 Bill : Under clause 3(2) of the Bill, it is stated that at the time of enrolment, The enrolling agency shall inform the individual undergoing enrolment the following details:</p>
<p style="text-align: justify;" dir="ltr">(a) the manner in which the information so collected shall be used,</p>
<p style="text-align: justify;" dir="ltr">(b) the nature of recipients with whom the information is intended to be shared during authentication,and</p>
<p style="text-align: justify;" dir="ltr">(c) the existence of a right to access information, the procedure for making such requests for access, and details of the person/department in-charge to whom such requests can be</p>
<p style="text-align: justify;" dir="ltr">made.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Properties of Aadhaar Number </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill : Clause 4 (3) stated that subject to authentication, the Aadhaar number shall be accepted as a proof of identity of the Aadhaar number holder.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 4 (3) states that subject to authentication, the Aadhaar number (either in physical or electronic form) shall be accepted as a proof of identity of the Aadhaar</p>
<p style="text-align: justify;" dir="ltr">number holder.</p>
<p style="text-align: justify;" dir="ltr">The Explanation under this clause states that for the purpose of this provision, “electronic form” shall have the same meaning as assigned to it in section 2 (1) (r) of the Information Technology Act, 2000.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Authentication</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services, etc. </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2016 Bill : Under clause 7 of the Bill it is provided that for the purpose of establishing an individual's identity as a condition to receipt a a subsidy, benefit or service. the Central or State Government (as the case may be), require that such individual undergo authentication, or furnish proof of possession of Aadhaar number. In case the Aadhaar number has not been assigned to an individual, such individual must make an application for enrolment.</p>
<p style="text-align: justify;" dir="ltr">The Proviso states that the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service, in an Aadhaar number is not assigned to an individual.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Authentication of Aadhaar number </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 5 of the Bill stated that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees. Also, it was provided that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any demographic and biometric information).</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The Bill states that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees.</p>
<p style="text-align: justify;" dir="ltr">Clause 8 (2) provides that unless otherwise provided in the Act, the requesting entity shall— </p>
<ol><li style="list-style-type: lower-alpha;" dir="ltr">
<p style="text-align: justify;" dir="ltr">For the purpose of authentication, obtain the consent of an individual before collecting his identity information, and</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p style="text-align: justify;" dir="ltr">ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr">Clause 8 (3) provides that the following details shall be informed by the requesting entity to the individual submitting his identity information for the purpose of authentication: </p>
<p style="text-align: justify;" dir="ltr"> a. the nature of information that may be shared upon authentication;</p>
<p style="text-align: justify;" dir="ltr"> b. the uses to which the information received during authentication may be put by the requesting entity; and</p>
<p style="text-align: justify;" dir="ltr"> c. alternatives to submission of identity information to the requesting entity.</p>
<p style="text-align: justify;" dir="ltr">Clause 8(4) states that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any core biometric information).</p>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Prohibition on requiring certain information. </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 9 of the Bill prohibited the Authority to make an individual give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : This provision has been removed from the 2016 Bill.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Unique Identification Authority Of India</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Establishment of Authority </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 11(1) of the Bill stated that the Central Government shall establish an Authority called as the National Identification Authority of India, to exercise the powers conferred on it and to perform the functions assigned to it under this Act. Also, clause 11(3) provided that the head office of the Authority shall be in the National Capital Region, referred to in section 2(f) of the National Capital Region Planning Board Act, 1985. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 11(1) of the Bill states that the Central Government shall establish an Authority called as the Unique Identification Authority of India, responsible for the processes of enrolment, authentication and perform such other functions assigned to it under this Act. Also, clause 11(3) provides that the head office of the Authority shall be in New Delhi.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Composition of Authority</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 12 provided that the Authority shall consist of a Chairperson and two part-time Members, to be appointed by the Central Government. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 12 of the Bill provides that the Authority shall consist of a Chairperson (appointed on part-time or full- time basis) , two part-time Members, and the chief executive officer (who shall be Member-Secretary of the Authority), to be appointed by the Central Government.</p>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Qualifications for appointment of Chairperson and Members of Authority</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 13 provided that the Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding calibre having experience and knowledge in the matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 13 provides that the Chairperson and Members of the Authority shall be persons of ability and integrity having experience and knowledge of at least ten years in matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.</p>
<p> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Term of office and other conditions of service of Chairperson.</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Proviso to Clause 14 (1) stated that the Chairperson of the Unique Identification Authority of India, who would have been appointed before the commencement of this Act by notification A-43011/02/2009-Admn.I (Vol.II) dated the 2nd July, 2009, shall continue as a Chairperson of the Authority for the term for which he had been appointed. Clause 14(4) prohibited the Chairperson from holding any other office during the period of holding his office in the Authority. Proviso to clause 14 (5) stated the salary, allowances and the other terms and conditions of service of the Chairperson shall not be varied to his disadvantage after his appointment. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : These provisions have not been included in the Bill.</p>
<p> </p>
<ol start="5"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Removal of Chairperson and Members</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (d) or (e) of sub-section (1).</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (b), (d) or (e) of sub-section (1).</p>
<p> </p>
<ol start="6"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Restrictions on Chairperson or Members on employment after cessation of office</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 16 (a) provided that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management or administration of, any person which has been associated with any work under the Act, for a period of three years from the date on which they cease to hold office, without previous approval of the Central Government. </p>
<p style="text-align: justify;" dir="ltr">The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in section 617 of the Companies Act, 195.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill: Clause 16 (a) provides that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority (whether directly or indirectly), during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office, without previous approval of the Central Government. </p>
<p style="text-align: justify;" dir="ltr">The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in clause (45) of section 2 of the Companies Act, 2013.</p>
<p> </p>
<ol start="7"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Functions of Chairperson</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 17 of the Bill provided that the Chairperson shall have powers of general superintendence, direction in the conduct of the affairs of the Authority, preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 17 of the Bill states that the Chairperson shall preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.</p>
<p> </p>
<ol start="8"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Chief Executive Officer</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 20 (1) of the Bill stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, who shall be the Member-Secretary of the Authority,shall be appointed by the Central Government.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 18 (1) stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, shall be appointed by the Central Government. In the list of its responsibilities, clause 18 (2) (e) additionally provides for performing such other functions, or exercising such other powers, as may be specified by regulations.</p>
<p> </p>
<ol start="9"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Meetings </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 18 (4) provided that all decisions of the Authority shall be authenticated by the signature of the Chairperson or any other Member who is authorised by the Authority for this purpose.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 19 (4) provided that all decisions of the Authority shall be signed by the Chairperson, any other Member or the Member-Secretary authorised by the Authority.</p>
<p> </p>
<ol start="10"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Vacancies, etc., not to invalidate proceedings of Authority</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 19 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as a Member of the Authority</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 20 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as Chairperson or Member of the Authority</p>
<p> </p>
<ol start="11"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Powers and functions of Authority</strong></p>
</li></ol>
<p> Clause 23 (2) (k)</p>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 23 (2) (k) provided that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct, in a manner as specified by regulations. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 23 (2) (k) provides that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, subject to the provisions of this Act.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Clause 23 (2) (r) </p>
<p style="text-align: justify;" dir="ltr">2010 Bill : Clause 23 (2) (r) stated that the powers and functions of the Authority may include specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 23 (2) (r) states that the powers and functions of the Authority may include evolving of, and specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Grants, Accounts and Audit and Annual Report</h3>
</li></ul>
<p> </p>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 25 provided that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India and the entire amount so credited be transferred to the Authority.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 25 states that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Identity Review Committee</h3>
</li></ul>
<p> </p>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 28 of the Bill provided for establishment of the Identity Review Committee, consisting of three members (including the chairperson) who are persons of eminence, ability, integrity and having knowledge and experience in the fields of technology, law, administration and governance, social service, journalism, management or social sciences. Clause 29 of the Bill enlisted several functions to be undertaken by the Review Committee so constituted.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill: These provisions have been removed from the Bill.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Protection of Information</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Security and confidentiality of information</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.</p>
<p>2016 Bill : Clause 28 (3) states that the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.</p>
<p style="text-align: justify;" dir="ltr">A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:</p>
<p style="text-align: justify;" dir="ltr">(a) adopt and implement appropriate technical and organisational security measures,</p>
<p style="text-align: justify;" dir="ltr">(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and</p>
<p style="text-align: justify;" dir="ltr">(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Restriction on sharing information </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: The Bill did not provide for restrictions on sharing of information.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill: This new provision under Clause 29 states that no core biometric information, collected or created under this Act, shall be—</p>
<p style="text-align: justify;" dir="ltr">(a) shared with anyone for any reason whatsoever; or</p>
<p style="text-align: justify;" dir="ltr">(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.</p>
<p style="text-align: justify;" dir="ltr">Also, the identity information, other than core biometric information, collected or created</p>
<p style="text-align: justify;" dir="ltr">under this Act may be shared only in accordance with the provisions of this Act as specified under Regulations.</p>
<p>Clause 29 (3) prohibits usage of identity information available with a requesting entity for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication, or disclosed further, except with the prior consent of the individual to whom such information relates.</p>
<p>Clause 29 (4) prohibits publication, displaying or publicly posting of the Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder, except for the purposes as may prescribed in Law.</p>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Biometric information deemed to be sensitive personal information.</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> 2010 Bill: The Bill did not contain provisions stating that the biometric information shall be deemed to be sensitive personal information for the purpose of this Act. </p>
<p style="text-align: justify;" dir="ltr">2016 Bill: Clause 30 states that the biometric information collected and stored in electronic form shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 and the rules made thereunder shall apply to such information,to the extent not in derogation of the provisions of this Act.</p>
<p> The Explanation defines</p>
<p style="text-align: justify;" dir="ltr">(a) “electronic form” - as defined under section 2 (1) (r) of the Information Technology Act, 2000,</p>
<p style="text-align: justify;" dir="ltr">(b) “electronic record” as defined under section 2 (1) (t) of the Information Technology Act, 2000</p>
<p style="text-align: justify;" dir="ltr">(c)“sensitive personal data or information” - as defined under clause (iii) of the</p>
<p style="text-align: justify;" dir="ltr">Explanation to section 43A of the Information Technology Act, 2000.</p>
<p> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Security and confidentiality of information</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 28 (3) states that the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.</p>
<p style="text-align: justify;" dir="ltr">A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:</p>
<p style="text-align: justify;" dir="ltr">(a) adopt and implement appropriate technical and organisational security measures,</p>
<p style="text-align: justify;" dir="ltr">(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and</p>
<p style="text-align: justify;" dir="ltr">(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.</p>
<p> </p>
<ol start="5"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Alteration of demographic information or biometric information. </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 31 (4) prohibits alteration of identity information in the Central Identities Data Repository, except in the manner provided in this Act or regulations made thereof.</p>
<p> </p>
<ol start="6"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Access to own information and records of requests for authentication.</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 32 (3) provides that the Authority shall not collect, keep or maintain any information about the purpose of authentication, either by itself or through any entity under its control.</p>
<p> </p>
<ol start="7"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Disclosure of information in certain cases </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order of a competent court; or disclosure (including identity information) made in the interests of national security in pursuance of directions issued by an officer(s) not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order not inferior to that of a District Judge (provided that the court order shall be made only after giving an opportunity of hearing to the Authority); or disclosure (including identity information or authentication records) made in the interests of national security in pursuance of directions issued by an officer not below the rank of Joint Secretary to the Government of India, authorised in this behalf by an order of the Central Government.</p>
<p>The proviso to Clause 33 (2) states that every direction so issued shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect.</p>
<p style="text-align: justify;" dir="ltr">The second proviso states that any such direction so issued shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Offences and Penalties</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Penalty for impersonation at time of enrolment. </strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years, or with fine which may extend to ten thousand rupees, or both.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Penalty for unauthorised access to the Central Identities Data Repository</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 38 (g) stated that any person not authorised by the Authority, provides any assistance to any person to do any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than one crore rupees.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 38 (g) stated that any person not authorised by the Authority, reveals any information in contravention of sub-section section 28 (5), or shares, uses or displays information in contravention of section 29 or assists any person in any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than ten lakh rupees. Additionally, the Explanation states that the expression “computer source code” shall have the meaning assigned to it in the Explanation to section 65 of the Information Technology Act, 2000.</p>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Penalty for unauthorised use by requesting entity and noncompliance with intimation requirements</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 40 of the Bill prescribed penalty for manipulating biometric information and stated that a person who gives/attempts to give any biometric information which does not pertain to him for the purpose of getting an Aadhaar number, authentication or updating his information, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or with both.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill: Clause 40 prescribes penalty for a person, being a requesting entity, uses the identity information of an individual in contravention of clause 8(3) , to be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both. Clause 41 of the Bill states that Whoever, being an enrolling agency or a requesting entity, fails to comply with the requirements of clause 3(2)-list of details to be informed to the individual undergoing enrolment, and clause 8(3)-informing individual undergoing enrolment details for the purpose of authentication, shall be punishable with imprisonment which may extend to one year, or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.</p>
<p> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>General Penalty</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to three years, or fine as prescribed.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to one year, or fine as prescribed.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Miscellaneous</h3>
</li></ul>
<p> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Power of Central Government to supersede Authority.</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 47(1)(c) stated that if at any time the Central Government is of the opinion that such circumstances exist which render it necessary in the public interest to supersede the Authority, may do so in the manner prescribed under this provision.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 48(1)(c) states that if at any time the Central Government is of the opinion that a public emergency exists, then the Central Government may supersede the Authority, in the manner prescribed under this provision.</p>
<p> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Power to remove difficulties.</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: The proviso to Clause 56(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of two years from the commencement of this Act.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : The proviso to Clause 58(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of three years from the commencement of this Act.</p>
<p> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr"><strong>Savings</strong></p>
</li></ol>
<p style="text-align: justify;" dir="ltr">2010 Bill: Clause 57 provided that any action taken by the Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, shall be deemed to have been done or taken under the corresponding provisions of this Act.</p>
<p style="text-align: justify;" dir="ltr">2016 Bill : Clause 59 states that any action take by Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009, or by the Department of Electronics and Information Technology under the Cabinet Secretariat Notification bearing notification number S.O. 2492(E), dated the 12th September, 2015, as the case may be, shall be deemed to have been validly done or taken under this Act.</p>
<p> </p>
<ul><li style="list-style-type: disc;" dir="ltr">
<h3 style="text-align: justify;" dir="ltr">Statement of Objects and Reasons</h3>
</li></ul>
<p> </p>
<p style="text-align: justify;" dir="ltr">2010 Bill: The Bill stated that the Central Government decided to issues unique identification numbers to all residents in India, which involves collection of demographic, as well as biometric information. The Unique Identification Authority of India was constituted as an executive body by the Government, vide its notification dated the 28th January, 2009. The Bill addressed and enlisted several issues with the issuance of unique identification numbers which should be addressed by law and attract penalties, such as security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases, impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, manipulation of biometric information, investigation of certain acts constituting offence, and unauthorised disclosure of the information collected for the purposes of issuance of the numbers. To make the said Authority a statutory one, the National Identification Authority of India Bill, 2010 was proposed to establish the National Identification Authority of India to issue identification numbers and authenticate the Aadhaar number to facilitate access to benefits and services to such individuals to which they are entitled and for matters connected therewith or incidental thereto.Apart from the above mentioned purposes, The National Identification Authority of India Bill, 2010 also seeks to provide for the Authority to exercise powers and discharge functions so prescribed , ensure that the Authority does not require any individual to give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health, may engage entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations, constitute the Identity Review Committee and take measures to ensure that the information in the possession or control of the Authority is secured and protected against any loss, unauthorised access or use or unauthorised disclosure thereof.</p>
<span id="docs-internal-guid-400d9138-596d-34f7-a004-875694b1e54e">2016 Bill: The Bill states that correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government and has proved to be a major hindrance for successful implementation of these programmes. In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries. The Unique Identification Authority of India was established by a resolution of the Government of India, Planning Commission vide notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number. Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes. With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created. It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory. For this purpose, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the Unique Identification Authority of India, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the Unique Identification Authority of India, maintenance and updating the information of individuals in the Central Identities Data Repository, state measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.</span>
<p> </p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill'>https://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill</a>
</p>
No publisherVanya RakeshAadhaarInternet GovernanceUID2016-03-09T04:08:01ZBlog Entry