HOW PROTECTED YOUR PRIVACY IS

UNDER AADHAR REGIME

BY SWASTIK DALAI
INTRODUCTION:
The National Identification Authority of India Bill, 2010 whose objective is
to provide for the establishment of the National Identification Authority of India for the purpose
of issuing identification numbers to the individuals residing in India and to certain other classes of
individuals and manner of authentication of such individuals to facilitate access to benefits and
services to such individuals to which they are entitled and for matters connected therewith or
incidental thereto1.
In broader sense, the central government issued a Unique Identification Number (called
Aadhaar) to every resident of India, where every resident can use his Aadhaar number to identify
himself anywhere in the country in order to avail public welfare benefits and services. This number
shall be linked to a resident’s demographic (information related to name, age, gender, and address
of the individual) and biometric information (includes iris scan and fingerprints)2. This bill was
introduced in early months of August, 2010 and the Planning Commission directly set up the
Unique Identification Authority of India (UIDAI) for the development and implementation of the
technical and legal infrastructure for establishing the system of identification numbers. The
Authority is headed by a chairman who holds a cabinet rank. Mr.Nandan Nilekani, former
cochairman of Infosys Technologies, was appointed as the first chairman of the authority in June
2009.UIDAI owns and operates the main database server called Central Identity Data Repository
(CIDR) for storing all the information of the residents.

HIGHLIGHTS OF THE BILL3:

• The Bill seeks to establish the National Identification Authority of India (NIAI) to issue
unique identification numbers (Aadhaar numbers) to residents of India.
• Every person residing in India is entitled to obtain an Aadhaar number after furnishing
relevant demographic and biometric information. No information related to race, religion,
caste, language, income or health shall be collected.
• The information collected shall be stored in the Central Identities Data Repository. This
shall be used to provide authentication services.
• Sharing of data is prohibited except by the consent of the resident; by a competent court
order; or for national security; or if directed by an authorized official of the rank of Joint
Secretary or above.
• The bill also establishes an Identity Review Committee which shall monitor the usage
patterns of Aadhaar numbers.

1
.www.prsindia.org/uploads/media/NIA%20Draft%20Bill
2
. The two categories of information is defined in clause 2(e) and clause 2(h) of the bill.
3
. http://uidai.gov.in/faq.html?catid=29
PARTNERSHIPS AND MEMORANDUM SIGNED:
Apart from this, financial inclusion is also stated to be the goal of
Unique Identification’s first institutional partnership with Life Insurance Corporation (LIC) of
India. This is meant to enhance LIC’s efficiency in administration of the various social security
schemes that are managed by it on the behalf of the Government of India4. Also, UIDAI has entered
into Memorandum of Understanding with Human Resource Development Ministry, whose aim is
to create an electronic registry of all students to track student’s mobility from primary and
elementary to secondary and higher education, and also between the institutions which would serve
myriad purposes like effective implementation of loan sanction and scholarships, mid-day meal
schemes and helping future employers by tracking fake degrees and duplicity of certificates 5 .
Similarly, the project of financial inclusion with the Rural Developments Departments launched in
Jharkhand which envisages payment of wages to Mahatma Gandhi National Rural Employment
Guarantee Act (‘MGNREGA’) workers at their doorsteps through biometric identity, thus curbing
irregularities in the wage payments to a great extent6. This widening ambit shows the eventual
extension of this Aadhaar number to the everyday life of the people.

KEY ISSUES AND LIMITATIONS:

• The Bill does not make it mandatory for an individual to enroll with the NIAI. However,
it does not prevent any service provider from prescribing Aadhaar as mandatory
requirement for availing services.
• The information collected by the NIAI may be shared with agencies engaged in delivery
of public benefits and services with prior written consent of the Aadhaar holder. The
safeguard provided for preventing misuse of this information may be inadequate.
• The Bill requires the NIAI to disclose identity information in the interest of national
security, if so directed by an authorized officer. The safeguards for protection of privacy
differ from the Supreme Court guidelines on telephone tapping.
• The Bill states that no Court shall take cognizance of any offence, except on a complaint
made by the NIAI. This could result in a conflict of interest situation if the offence is
committed by a member of the NIAI.

4
. Net Indian News Network, LIC becomes the first institutional partner in UIDAI project, 6 th June 2010
5
. Reporter, HRD ministry signs MOU with UIDAI, The Economic Times (Delhi) 27 th October,2010
6
. http://www.igovernment.in/site/uid-launch-financial-inclusion-pilot-project-38117
 • Details of demographic and biometric information to be recorded have been left to private
entities. This empowers the private entities to collect additional information without prior
approval from Parliament.
But, according to legislative view, the bill leaves many things
unsaid and is ambiguous in nature. Here we will have a legislative analysis to examine the
exact outlines of the draft legislation, individual’s inevitable privacy and the system of
identification it envisions. The project has represented many key ideas related to the UID
numbers (Aadhaar numbers) to rules to be framed by the authority. Right from the public
announcement of the project, to the drafting of the Bill, the furor over the introduction of this
system of identification has only been growing. The supporters of the project have based their
feedbacks and opinion on various hypothetical results they believe this project can have on
welfare schemes, privacy of the residents and the nature of governance in India. The sensitive
nature of biometric information, creates a worrying factor that there was no law preventing the
sharing of this biometric information with other state agencies, but to the extent that the UIDAI
has pegged de-duplication and consolidation of databases as one of the major potential benefits
of this project.

LEGISLATIVE ANALYSIS IN THE PROCESS OF AADHAAR NUMBER SYSTEM:

• Step 1- COLLECTION OF IDENTITY INFORMATION-The bill provides for agencies

to carry out collection of information in clause 2(i)7, whereas clause 2(o)8 defines the role
of the registrar. Both this definitions seem overlapping but the system provided that the
agencies will act as the agents of the Registrar, and enroll residents into the CIDR under
their supervision. Clause 3(1) removes the confusion by stating that every resident will
provide the information to the UIDAI to obtain an Aadhaar number.
• Step 2- VERIFICATION- The issue of whether there will be any verification of the
information collected is left unclear in the bill. Although, clause 3(2) states that
verification will follow the receipt of the information, the term is not defined in the
legislation. Even Clause 2(d) which states that the Aadhaar numbers and identity
information will be submitted to the CIDR for verification which appears to be referring
to the process of authentication.
• Step 3-ENROLLMENT IN THE CIDR- Subsequent to the collection and verification of
identity information, it will be submitted to the CIDR. As the bill focus on limiting the

7
.Clause 2 (i) “enrolling agency” means an agency appointed by the Authority or by the Registrars, as the case may
be, for collecting information under this Act.
8
.Clause 2 (o) “Registrar” means any entity authorised or recognised by the Authority for the purpose of enrolling
the individuals under this Act;
 information that can be held with the CIDR by restricting it to demographic and biometric
information and specifically excluding certain information under clause 9. But, clause
2(f)9 has an increased scope due to the words “other information related thereto”.

• Step 4-AUTHENTICATION- Clause 2(d) describes this as the process by which the
CIDR may verify the Aadhaar number and identify information of the individual, by a
simple check for compliance with the date available for it. But clause 5(2) states that
the UIDAI shall respond to an authentication query with a positive or negative response
or with any other appropriate response without providing any substantive demographic
and biographic information.
• Step 5-UPDATION OF INFORMATION- Clause 9 provides that Aadhaar number
holders will have to update their information as and when required, in order to maintain
accuracy. As the duty is on them, it is expected that a quick, simple and accessible system
of updating would be necessary.
In conclusion, the draft legislation leaves all the important
process of collection and verification of information shrouded in ambiguity. While the impression
cast by clause 3(1) is that the demographic and biometric data has to be submitted to the UIDAI,
it is the enrolling agencies and registrars, drawing authority from clause 2(i) and clause 2(o) who
are the de facto collectors of information. Delegation of such a critical responsibility raises grave
issues of confidentiality. Although the bill tackles the question of punishment for the intentional
misuse of information, it chooses to condone the situation of sheer negligence on the part of the
information collectors. Another gapping flaw is the unanswered question of what procedure will
be followed for verification of data before its incorporation in the CDIR database. Penalty for
impersonation at the time of enrollment is prescribed in the clause 34. What the bill does make
apparent is that the UID number will be accepted as an identity proof, only after the authentication
process, and any authentication query will be responded to with a positive or negative answer, or
any other response, keeping in mind that no information is divulged.

EXAMINING THE PRIVACY AND THE UID BILL:

The UID project exemplifies the introduction of IT into governance, and proposes the use of
superior technology such as biometrics for the benefits of the poorest of India among other things.
Although technology is a great tool for progress, it is only as good, and as neutral as the manner of

9
. Clause 2 (f) “Central Identities Data Repository” means a centralised database in one or more locations containing
all aadhaar numbers issued to aadhaar number holders along with the corresponding demographic information and
biometric information of such individuals and other information related thereto.
its use. As far as the Indian constitution goes, the right to privacy does not find explicit mention.
The courts, however, have asserted that the right to privacy may read into the constitutional
guarantee under Article 21. In Rajagopal Vs State of Tamil Nadu, the Supreme Court held that the
right to privacy was a fundamental right, enforceable against private persons as well. In Govind
Vs State of Madhya Pradesh, the Court held that an individual and “those things stamped with his
personalities” would be protected against official interference unless a reasonable basis for
intrusion exists. The same was held in the PUCL Vs Union of India, case, famously known as the
“wiretapping case”. In Selvi Vs State of Karnataka, the court adopted a wider meaning of privacy,
extending to “personal knowledge of a fact”. It emphasized personal autonomy, holding that
revealing a personal fact, was entirely in the domain of the individual’s decision-making which
must be free from interference. In the UID system the provision of information will be voluntary-
the bill does not explicitly mention this, but in all official documents the same has been
emphasized. However the voluntariness only extends to the disclosure of information to the
enrolling agencies. Given that it has remained ambiguous to what uses such information will be
put , and who will access it, it is yet to be seen whether such decisions will incorporate the consent
of the individual. Although in light, the Bill restricts the disclosure of the information, only
allowing it to when there is a specific order of a competent court. It does not involve the consent
of the individual; however, given the capability of misuse of this provision it has been urged that
the concerned person should at least be given the right to be notified of such disclosure in advance,
or generally be given an opportunity to resist the same.

A THREAT TO THE RIGHT TO PRIVACY:

Large digital identity systems as the sensitive information stored by the private entities
come with increased risks. Biometrically enhanced identity information, combined with
demographic data such as address, age and gender, among other data, when used in increasingly
large, automated systems creates profound changes in societies, particularly in regards to data
protection, privacy, and security. One of the most significant changes is the precipitous decline
of privacy by obscurity, which is essentially a form of privacy afforded to individuals inadvertently
by the inefficiencies of paper and other legacy recordkeeping. One can compare the clumsiness of
legacy paper-and-ink fingerprint cards held by local institutions, to the efficiencies of modern
digital multi-modal biometrics databases, which may include millions of digital fingerprint
templates, combined with other types of biometrics, all of which can be searched rapidly from a
single computer terminal as sourced by the private entities. Digitization serves to create a rich and
deep pool of information, often instantly accessible, and introducing consequently, profound
changes into how identity information works.

CONCLUSION:
 Even with its several ambiguities, the Bill has been the welcome measure in
some senses. In a country where discussions on privacy are severely restricted, the widespread
debate on the UID project have revealed a new side to the story, of the intrusions of the privacy
of the individual by the State. While the court have always accepted 'public interest', and ' national
security' as reasonable restrictions on privacy rights, the right of the State to not only act in the
'public interest', but also defines the contours of what constitute a 'public interest', give the state
the wide power to intrude into anyone's privacy. Hence the debates surrounding this project have
forced the civil society to question the understandings of these terms themselves. The Bill is legal
recognisation of the harms possible from misuse of the sensitive data, as evidenced by the
prohibition on certain criteria of the information. Subtle omission, such as not allowing disclosure
of details of authentication, except by the order of competent court, not even in the interest of the
national security, reveal recognisation of the very eminent possibility of misuse of a centralized
database.

The new shift on the digital age create great responsibility for policymakers to ensure the
responsible use and interpretation of identity and biometric data. Broader deployment and adoption
also increases the importance of providing safeguards – procedural, substantive and restorative –
to diminish or respond to potential deleterious side effects of biometrics. The use of digital identity
systems and biometrics for identifying or authenticating individuals need not be onerous, if
appropriate protections are in place and the government has a regulation to that effect. However,
if appropriate protections are not in place, the use of large-scale biometric identity systems can also
be used for purposes of social control, surveillance, and repression. Therefore, adequate protections
are of utmost importance to guide and direct digital biometric identity systems.

Cynicism and suspicion surrounding this project mustn't be viewed as an unhealthy

development, as it reflects a new awareness among people towards privacy and State surveillance.
Questioning of this nature is integral to ensuring participation of the people in decisions regarding
governance. It is hoped that the final legislation will remedy the loopholes in the system and
include privacy safeguards, so that this 'move forward' is one which rests on the meaningful.