Aadhar by Ordinance

Implemented for its first seven years without any legal backing whatsoever, Aadhar as a citizen (or rather, resident) identifier — remains a work in progress. While a comprehensive law on privacy, or even on data protection, continues to elude the country, the Supreme Court in 2018 had found fault with some aspects of the Aadhar law. This is what the government is now set to tweak through an ordinance. But the Union Cabinet’s recent decision to take the ordinance route raises concerns that private operators can still get people to part with personal data and biometrics (albeit voluntarily), which would contravene the Supreme Court’s landmark verdict on Aadhar. After all, the apex court by a majority decision had ruled as ‘unconstitutional’ even voluntary use of Aadhaar authentication by private entities. Ostensibly, to effect that ruling, the government last month pushed the Aadhaar and Other Laws (Amendment) Bill, 2018, through Lok Sabha but failed to do so in Rajya Sabha. Going for an ordinance so close to general elections is bound to invite Opposition ire. There was a row with the Aadhar law in 2016 too, when the Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act was passed in Lok Sabha as a Money Bill, bypassing Rajya Sabha and leaving the Opposition fuming. The Modi government had then argued that this was necessary as the Aadhar project, a UPA brainchild, had been implemented since 2009 without Parliament making a law to underpin it. Be as it may, the ordinance now allows private entities like banks and telcos to use Aadhaar as an electronic ‘know your customer’ (e-KYC) means for authenticating user identity. It must be done by ‘voluntary choice’ and no person will be denied service for not possessing Aadhar number, the ordinance makes clear. To do this, the government has amended the Telegraph Act and the Prevention of Money Laundering Act. But won’t customers face hassles and longer waiting periods if they withhold Aadhar details? The ordinance allows those turning 18 to scrap their Aadhar number if they so desire, and gives more powers to UIDAI. It further allows any entity to carry out Aadhar authentication ‘as per UIDAI regulations’, as may be permitted ‘by a law made by Parliament in the interest of the State’.

When challenging the Aadhar law in Supreme Court, the petitioners had pointed to the large ecosystem using Aadhar — State governments, enrolment partners and private entities. Can the Unique Identification Authority of India (UIDAI) overseeing the Aadhar programme, ensure the security of its vast database by all these players? While the UIDAI claims its Aadhar database is fully secure, cyber experts have voiced concerns that a system like Aadhaar-enabled payments system (AePS) makes it vulnerable to hacking and identity theft. With the 12-digit Aadhar number seeded into bank accounts, PAN card, mobile SIMs and various databases, what is the guarantee some administrator will not make all these connections via Aadhar to profile users? This could have far-reaching implications regarding government control and stifling dissent, fear activists. So it is not just a matter of data security — what could be at stake is the larger issue of civil liberties associated with the right to privacy (which the Supreme Court has upgraded to be read under the fundamental right to life and personal liberty). The government swears by Aadhar to weed out bogus beneficiaries and make schemes leak-proof, so that only the deserving get LPG cylinders, PDS foodgrain and other benefits. But the problem of ‘exclusion’ — the poorest of the poor unable to access welfare — does not go away. There are other questions, like whether Aadhar should be linked to voter ID, which will essentially turn it into a citizenship test. In States like Telangana, Gujarat, Jharkhand or UP, talk of Aadhar-voter ID linking has drawn much controversy. All these just go to show what happens when the government puts the cart before the horse. Let alone any overarching law on privacy, the country has no law on data protection, even as the government bets big on Aadhar. This has put our tech industry on the defensive vis-a-vis the United States and Europe with strong privacy regimes. With the BN Srikrishna committee report on data privacy already in government hands, the time is nigh to address this basic shortcoming.