Although on-point in certain aspects, the Aadhaar Bill is an underwhelming effort at reforming the structure of the programme.
Ever since the Supreme Court delivered its verdict last September on the constitutional validity of the Aadhaar Act, much speculation has taken place on how Parliament would react. The court, while by and large upholding the Aadhaar programme, did strike down some select aspects. The Aadhaar (Amendment) Bill recently passed by the Lok Sabha is a response to some of the concerns identified by the court. Does the Bill adequately address the issues that the court had raised?
In certain respects, the Bill squarely addresses the court’s concerns. Section 57 of the Aadhaar Act, which enabled private authentication, has been deleted. Separate Bills that amend the Telegraph Act and the Prevention of Money Laundering Act have been introduced, and do allow some degree of private authentication, but here some privacy and security safeguards exist, and there are alternatives for verification such as the use of a passport.
Further, new provisions on offline Aadhaar verification and the use of virtual identities are also positive steps. As critics concerned with the privacy and security implications of Aadhaar have pointed out, not every use of Aadhaar for verification purposes requires accessing the CIDR data hub, where Aadhaar information resides, or the gathering of biometric information. Striking a balance, the Bill provides for offline verification that collects demographic information as required for the purpose at hand.
It clarifies that no offline verification-seeking entity shall compel users to go for online authentication, or collect, use or store either the Aadhaar number or any biometric information. UIDAI has also been authorised to decide whether a requesting entity would only be allowed access to an alternative virtual identity rather than the original Aadhaar number.
Despite these measures, some fundamental issues persist. Regarding Section 33(2) of the Aadhaar Act that authorises the disclosure of Aadhaar information upon grounds of national security, the court had concluded that the power to issue such direction must vest with a higher-ranking officer rather than the joint secretary.
This objection has now been addressed by replacing ‘joint secretary’ with ‘secretary’ in this provision. However, the majority had also preferred that this higher-ranking officer exercise directive authority along with a judicial officer. The Bill ignores this observation, and thus the absence of judicial involvement remains a concern.
The Aadhaar information, as we have argued before, consists of sensitive biometric information as well as authentication records that can be pieced together to profile individuals. Therefore, judicial involvement in the process, either at the stage of making the request for information or at least at a later point when conducting oversight of such requests, is imperative to ensure national security does not become a pretext for unfettered access to sensitive information. In the Bill, the oversight mechanism has not been modified to include judicial presence.
Similarly, the Bill does not amend Section 7 of the Act, a provision that is at the heart of Aadhaar’s overreach. The majority did not set any clear guidelines on restricting the scope of this provision, which mandates authentication as a condition for the receipt of benefits and services for which expenditure was incurred from the Consolidated Fund of India. But realising its overreach, the majority had observed that such benefits and services should be ‘in the nature of welfare schemes’ that are ‘targeted at a particular deprived class’ rather than individual benefits earned as a matter of right, including pensions and other work-related emoluments. By not capturing the essence of these observations in the Bill, Section 7 as it currently exists forces aggrieved individuals to approach courts from time to time rather than rely on statutorily prescribed limits to authentication.
The Bill has certain other weaknesses. It expands the already wide rule-making power contained in Section 54. The UIDAI even now has vast powers to penalise requesting entities. Rather than expanding the UIDAI’s authority, the Bill should have focused on divesting the UIDAI of functions that it would have no incentive to appropriately perform.
By being both the regulator and the custodian of data, the UIDAI’s two roles invite conflict. It is illusory to expect the UIDAI to self-report vulnerabilities in the database or lapses in its functioning. Instead, the Bill gives it more power.
The court has already given its seal of approval on Aadhaar, and this is not the occasion to rehearse the arguments for and against the legality of the programme. But the present Bill, although on-point on certain issues, is overall an underwhelming effort at reforming the structure of the programme.
The author is the co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148