[Ed Note : The following post, the second post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on the Report and Draft bill in relation to the AADHAR issue.
The first post in the series can be found here. Keep watching this space for more posts in the series!]
With the Supreme Court upholding the constitutional validity of the Aadhaar Act and scheme on the 27th of September, 2018, a significant impact will be felt by the Data Protection Bill. If one looks at the larger aim of a Bill like the Data Protection Bill, it is to recognize that an individual’s data and their rights over it are of utmost importance. With the Apex Court upholding the validity of Aadhaar albeit certain caveats, a thorn is created in the larger realization of the Bill’s goal. Principally, the limitation of the role of Aadhaar by the judgment would secure rights in terms of who uses available data and the interference of private parties. However, the fact that biometric data collection is still a valid process creates doubts regarding the conflicting nature of the aims of data protection and Aadhaar.
The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy. Many critics have pointed out that the use of biometric data instead of smart cards is a mechanism of choosing surveillance over the use of e-governance technologies.
1. Consent, AADHAR and Data Protection
The idea of consent does not present itself when a data subject is mandatorily required to register themselves with the Aadhaar programme. The Supreme Court held that Aadhaar is essential for filing Income Tax Returns (ITR) and to obtain a new PAN Card. The judgment makes linking of Aadhaar to PAN also mandatory which again takes away the idea of choice in giving out information that concerns personal data. Thus while in theory the programme remains voluntary, in practice it simply is not, as most services are linked to the PAN Card, including crucially opening a bank account.
Especially with reference to the provision of subsidies and benefits, Aadhaar has become ‘the’ identification metric. Failure of Aadhaar authentication has resulted in the loss of the subsidy or the benefit. The government has refused to use in other forms of identification as an alternative for the same. Therefore, the idea of consent embodied under Section 12 of the Draft Bill is violated. Even if on a central level Aadhaar is made non-mandatory for the provision of certain services, there are many State-level provisions that are necessarily linked to solely the Aadhaar – most painfully sometimes in denying education to students.
2. The AADHAR infrastructure and purpose of limitation
Section 5 of the Data Protection Bill is the ‘purpose limitation’ clause. Section 5(1) states that ‘personal data shall be processed only for purposes that are clear, specific and unlawful’. A very obvious counter to this is presented in the form of Aadhaar. The nexus that the Government draws upon to justify Aadhaar is the linking of it to subsidy and welfare benefit schemes. While Aadhaar has become mandatory for the same, there is no limitation as to what extent the purpose can be determined until which it is legitimate for making Aadhaar mandatory. The creation of an Aadhaar number associated with an individual is itself the individual giving up on certain rights that concern their biometric data and physical markings. Even if the Aadhaar is made for the singular purpose of accruing social welfare benefits, the fact that every new scheme may seek the same makes the idea of purpose determination difficult if not impossible. The scope available to the Government for drawing out information under the guise of the Aadhaar is notably expanded.
The Aadhaar Act will have to be amended in order to ensure the autonomy of the UIDAI.
- Exceptions in the Bill for the Aadhaar Act
The Aadhaar project engages in a balancing exercise between the individual’s right to privacy and the state’s right to intrude upon that privacy but ultimately comes out heavily in favor of the latter. While the idea of a data protection Act appears to be based upon ensuring a fair and meaningful exercise of the right to privacy, this cannot be achieved unless the unjustifiable privacy incursions of Aadhaar are adequately dealt with. The Bill includes several exceptions to the requirement of consent for the processing of data, some of which pertain, inter alia, to the provision of welfare benefits and not merely state security exemptions (Section 42) or prosecution of offenses. This would bolster the functioning of Aadhaar to such an extent as to abrogate a (vulnerable) data subject’s expectation of privacy.
Sections 13 and 19 of the draft Bill are particularly relevant in this regard. While Section 13 allows for the processing of personal data even without consent for the exercise of “any function, for the delivery of services or benefits or issuance of certificates”, Section 19(b) in a similar vein allows for the processing of sensitive personal data (which includes biometric data) if it is “strictly necessary for… any function of the State authorized by law for the provision. The use of such broad and sweeping terms is reminiscent of the broad and sweeping ideals of any service or benefit to the data principal”. Similarly, Section 17 allows the Data Protection Authority (DPA) to process data for “reasonable purposes”, which as per the accompanying illustrative list includes such uses as credit scoring and debt recovery which could be easily taken from the Aadhaar database which, even after the judgment, intrude into multiple areas of everyday life. This merely strengthens a DPA that is already tasked with far too excessive levels of powers. By providing this increased scope for data interference and exceptions from being governed from the personal right to privacy, there is an increased scope of arbitrary action. Even in the presence of remedies to the same, there will still inevitably be a number of data privacy casualties as a product of this nearly unlimited power.
The key question to be answered in this regard is whether Aadhaar is, in practice, necessary to carry out the function of the State, and this remains extremely contentious (particularly in light of the purpose limitations laid out in Section 5 of the draft Bill). In light of the fact that notifications of breach of data are to be made only in the likelihood of ‘harm’ being caused to the data principal as under Section 32, this is even more troubling.
The draft Bill also states that personal and sensitive personal data can be processed if in accordance with an explicitly mandated Indian law, and this clearly justifies the Aadhaar in its entirety now that the court has validated its existence. Alarmingly, Section 45 does not discuss the requirement of consent when it comes to the large-scale use of data for research or archival purposes (seen to be a ‘national treasure’), which clearly gives further credence to the idea of a project premised upon mandatory collection of personal data.
These exceptions provide greater scope for surveillance, an issue the Bill remained silent on with regards to the Aadhaar.
- Role of UIDAI
The draft Bill appears to have strengthened the status of the UIDAI particularly in relation to matters of dispute settlement, by placing the burden upon the data fiduciary i.e. the UIDAI to approach the courts. While the Committee report recognizes the need to ensure the autonomy of the UIDAI, adjudicatory power has been proposed to be granted to the UIDAI (in addition to the power of other Adjudicatory Officers) and at the same time, the exclusivity of allowing the UIDAI to file complaints has been maintained. This only strengthens the legitimacy of privacy incursions by the UIDAI by allowing it to effectively have discretion over claims of data breaches.
The next post can be found here.