The discourse around Aadhaar has only aggravated since its inception, and one of the primary contentions of the debate has been lack of a statutory force behind the initiative. Amidst all the speculations, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 was introduced on 3rd of March as a money bill, on the grounds that subsidies and other benefits will be drawn from the Consolidated Fund of India. The Bill seeks to resolve the contention of the lack of a legislation backing Aadhaar. The Bill also allows for more schemes to be attached to Aadhaar in future. Presently, there are a handful of schemes attached to the Aadhaar which have been approved by the Supreme Court. The Bill is an ambitious task to provide a framework for operationalization of Aadhaar.

A Cursory Glimpse

The Bill, establishing the Unique Identification Authority of India (UIDAI) as the authority for the functionality of the Aadhaar process, provides for the conferment of an Aadhaar number, to every resident who submits her identity information. The Bill, in this context defines a resident in clause 2(5). Clause 2(n) provides that identity information includes biometric information and demographic information. Biometric information includes photograph, finger print, Iris scan, or such other biological attribute of an individual as may be specified by regulations. The demographic information includes information relating to name, date of birth, address and other relevant information of an individual specified by regulations but significantly excludes information about race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

According to clause 9, an Aadhaar number shall not confer or be a proof of, citizenship or domicile The Bill also carries a provision which may require Aadhaar holders to update their biometric and geographic information. The inconsistency in predictability of biometric data of an individual has been a contentious issue but the object of the provision here is as mentioned, the continued accuracy of the information in the repository.

Dissecting the Clauses

The Bill elevates the existence of an Aadhaar number to a proof of identity by virtue of clause 4(3).

Chapter IV of the Bill establishes the UIDAI as a body corporate, consisting of a Chairperson, a CEO and two part-time members. The CEO of the Authority will not be below the rank of Additional Secretary to the Government and will be appointed by the Central Government. The chapter deals with functions of the members, grants by Central Government, accounts and audits, qualifications and enumerations of the members. The Authority is responsible for the establishment, operation and maintenance of the Central Identities Data Repository. Clause 49 provides that the members of the UIDAI will be deemed as public servants. Clause 50 provides that the Central Government is not empowered to issue directions pertaining to technical or administrative matters undertaken by the authority.

Clause 16 of the Bill places restrictions on the Chairperson and members of the UIDAI who have ceased to hold office. It bars them from accepting employment in any management or company, which has been associated with any work contracted by the UIDAI, for a period of three years after the expiry of their employment. Listing the functions of the UIDAI, clause 23 provides that the authority shall formulate policies, procedures for issuing Aadhaar numbers and for the performing authentication of the same. The Authority is designated to carve out regulations including process of collection of information, specify what includes biometric and geographic information. The specifications have been left open to the authority, including the appointment of an entity to operate the Central Identities Data Repository.

The Bill creates a Central Identities Data Repository [Clause 2(h)] which will be the centralized database containing all Aadhaar numbers and details thereto. It will also be responsible for authentication and verification of the information provided by Aadhaar holders, at the time of enrollment. The registration of Aadhaar, has been made voluntary by the force of the Court’s order in August, 2016.

In light of this, clause 7 of the Bill mandates that proof of Aadhaar number is  necessary for the receipt of certain subsidies, benefits and services. The clause carves out a potential exception to the effect that if an Aadhaar number is not assigned to an individual, an alternate means of identification shall be offered for delivery of benefits.

Enabling accessibility to the Aadhar process, clause 5 of the Bill provides for special measures for issuance of Aadhaar to senior citizens, children, persons with disability persons who do not have any permanent dwelling houses. The clause is inclusive in nature.

Chapter VII of the Bill deals with penalties and liabilities for several offences. Impersonation at the time of enrolment as well as impersonation for the purpose of changing the demographic information of an Aadhaar number holder, is punishable with imprisonment. Providing a heavy liability for companies, clause 43 states

Where an offence under this Act has been committed by a company, every person who at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

A provision which stands out in the chapter listing out penalties is Clause 44. It reads as follows:

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person, irrespective of his nationality.

(2) For the purposes of sub-section (1), the provisions of this Act shall apply to any offence or contravention committed outside India by any person, if the act or conduct constituting the offence or contravention involves any data in the Central Identities Data Repository (5(f))

Privacy Provisions in the Bill:

The statement of objects and reasons appended to the Bill states that it seeks to provide “for measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository”. 

Chapter VI of the Bill is built around the protection of information by the Authority, collected through the enrolment process. The Bill qualifies biometric information collected and stored in electronic form, as “electronic record” and “sensitive personal data or information” within the meaning of the Information Technology Act, 2000. The distinction between core biometric information and biometric information has been visibly emphasized. Clause 29 imposes a restriction on sharing information and bars the use of core biometric information for any purpose other than for the generation of Aadhaar numbers and authentication.

Clause 28(3) reads

“The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.”

Clause 28(5) further provides that the Authority or its officers or employees or any agency which maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone.

The Bill provides for information privacy at the stage of enrollment. According to Clause 3(2), the enrolling agency, which is appointed by the UIDAI for collection of identity information is bound to inform the individual at the time of enrollment, details about (i) the manner in which information collected will be used, (ii) the right of accessibility of information at the hands of the individual and the (iii) the nature of recipients of the information.  The manner of communication of such information has been left open to specific regulations which will be prescribed by the UIDAI.

The Bill provides for authentication of Aadhaar number by a requesting entity in relation to his biometric information or demographic information. Clause 2(u) defines “requesting entity” to mean an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Clause 8(2) makes it mandatory for the entity requesting authentication to obtain consent from the person whose information is to be collected for such authentication. It requires the requesting entity to ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication. The clause further provides that the Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.

With respect to identity information, clause 29(3) restricts the use of such information available with a requesting entity and states that the identity information will only be used for the purpose specified to the individual at the time of enrolment and only with the prior consent of the individual.  Clause 32 enables an Aadhar number holder to access her/his own information and also mandates that records of request of authentication of an individual, should be maintained.

The functions of the Authority include performing authentication of Aadhaar numbers, deactivation of Aadhaar numbers. Clause 23(m) empowers the Authority to specify, by regulations, various processes relating to data management, security protocols and other technology safeguards under this Act; The UIDAI, according to Clause 23(q) is also entrusted with the function of promoting research and development for advancement in biometrics and related areas, including usage of Aadhaar numbers through appropriate mechanisms;

Disclosure of Information

Envisaging an exception to the protection of information provisions, clause 33 allows for disclosure of information in certain instances. It provides that disclosure of information, including identity information or authentication records is permissible if made in pursuance of an order of a Court (at least District judge), or in the interest of National Security by an officer of the level of Joint Secretary or above. However, the Bill does not define national security and the term in itself is vague and overbroad. It provides that such a direction shall be reviewed by an oversight committee consisting of Cabinet Secretary and Secretaries of Legal Affairs and DeitY. The problems of third party independent oversight and the volume of requests remain as is the case with the oversight committee under the Blocking Rules and the Telegraph Rules. The provisio appended to clause further provides that the direction in the interest of national security shall lapse after the expiry of three months from the date of issue.

Clause 37 of the Bill enshrines a penal provision for unauthorized disclosure of any identity information collected in the course of enrolment or the authentication process. This provision speculates a penalty for individuals as well as companies who engage in unwarranted disclosure. The Bill imposes a penalty for unauthorized access to the repository (clause 38), for tampering with data on the repository (clause 39). Chapter VII further provides for punishment of a requesting entity for unauthorized use of identity information.

The Bill contains vital provisions in terms of requesting entity applying for authentication, access of identity information by an Aadhaar-number holder to introducing liabilities. However, a deeper glance shows that several regulations are yet to be prescribed and have been left open-ended. The actualization of a legislation should however, not be conceived as a satisfactory response to the yet to be heard struggle for determining privacy as a constitutional right.