Why Modi govt is amending Aadhaar Act and what it means for your privacy

Critics allege that with the new Bill, the Centre is looking to circumvent the Supreme Court order passed earlier this year

The Narendra Modi government has introduced a Bill in parliament that propose amendments to various laws that underpin the Aadhaar ecosystem, in a move that comes after a Supreme Court verdict earlier this year curtailed the sprawling nature of India’s biometric authentication programme.

The Aadhaar And Other Laws (Amendment) Bill 2018, which was passed by the cabinet two weeks ago and introduced by information technology minister Ravi Shankar Prasad in the Lok Sabha on Wednesday, contains a host of amendments that have to be passed to comply with various aspects of the apex court’s judgements.

These include: provisions to help make the biometric scheme voluntary, clauses that will allow the Unique Identification Authority of India (UIDAI) to more effectively police its ecosystem and options to cancel Aadhaar numbers when one turns 18.

The most controversial change, however, are two proposed amendments to the Telegraph Act and the Prevention of Money Laundering Act. The amendments will allow banks and telecom operators to continue using voluntary Aadhaar authentication as a means of linking Aadhaar numbers to bank accounts and mobile SIM cards.

Critics and privacy advocates say that these two amendments specifically are in contravention of the Supreme Court judgement.

“The Supreme Court…. explicitly prohibited use of Aadhaar by private parties by declaring Section 57 of the Aadhaar Act, 2016, as unconstitutional. This section provided grounds for Aadhaar-based authentication by private entities as well,” a statement by Rethink Aadhaar, a non-partisan campaign that is critical of the UID project, said on Tuesday.

“The present bill proposes amendments to the Aadhaar Act, Telegraph Act and the Prevention of Money Laundering Act which will circumvent the SC judgment, and allow the continued use of Aadhaar-based e-KYC authentication by private entities for mobile and banking services, respectively,” it added.

When Prasad introduced the Bill in the Lok Sabha on Tuesday, it drew sharp criticism from opposition party members.

Congress MP Shashi Tharoor said that it would enable “private organisations to get Aadhaar details which is in violation of the Supreme Court judgement” and that it failed to protect the right to privacy.

Revolutionary Socialist Party’s N.K. Premchandran said: “Kindly see the definition of Aadhaar. The original Aadhaar definition has been changed… since it is in violation of Supreme Court judgement, I strongly oppose the Bill.”

What are the problems with the Bill? Does it really run afoul of the Supreme Court verdict? And which amendments deserve further public consultation? The Wire, which has accessed a copy of the Bill, breaks it down.

Broad objectives

The overarching details of the amendments are as follows:

1) Make it ‘voluntary’: The Bill goes out of its way to add the word ‘voluntary’ to various clauses.

A new sub-section under Section 4 of the Aadhaar Act will now include the sentence: “Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations.” (emphasis added).

The ‘voluntary’ clauses are also added to the proposed amendments to the Telegraph Act and PMLA Act. For instance, a sub-section to be added to the Telegraph Act notes that usage of Aadhaar authentication as a mode of identification shall be a “voluntary choice of the person who is sought to be identified and no person shall be denied any service for not having an Aadhaar number”.

This, critics allege, is disingenuous as in many parts of the country, even ‘voluntary’ Aadhaar usage can often and easily mean that furnishing an Aadhaar number is the quickest way of getting a job done. Secondly, with the Bill, the government still retains its ability to make Aadhaar mandatory for “provision of any service” if it is “required by a law made by parliament”. This means that the law doesn’t wholly commit itself to making sure Aadhaar is purely voluntary.

2) Amending Telegraph and PMLA Act: This is the biggest change. The Supreme Court verdict struck down Section 57 of the Aadhaar Act, which meant that technically speaking, no private entity could carry out Aadhaar authentication. This, legal experts said at the time, signalled the effective death of what is known as ‘e-KYC’ or electronic-Know-Your-Customer technology.

A day after the verdict was passed, finance minister Arun Jaitley hinted that e-KYC could be brought back for specific entities if it was backed by a law passed by parliament. This Bill thus seeks to amend the Indian Telegraph Act, 1885 and the Prevention of Money Laundering Act, 2002, to “provide for the use of Aadhaar authentication”.

Simply put, this means that banks and telecom operators can now continue to link Aadhaar to bank accounts and mobile SIM cards (and use Aadhaar authentication). The only caveat is that this should be done on a “voluntary basis” and allow for “other modes of identification”.

This amendment has drawn scathing criticism, primarily because many legal experts see it as circumventing the Supreme Court’s striking down of Section 57. Writing for The Wire shortly after the apex court verdict, advocates Vrinda Bhandari and Rahul Narayan noted that allowing use of Aadhaar by private players was “unconstitutional” and hence could not be “resurrected through legislation”.

It remains to be seen if this will pass muster in the Rajya Sabha, where the Centre does not have a majority, if the amendments aren’t introduced as a money bill.

3) Legalising ‘offline’ verification: The Bill also contains amendments that sanction the creation and use of offline verification tools for Aadhaar. These methods, which include QR codes, do not require Aadhaar authentication, sharing of Aadhaar numbers or involve UIDAI’s servers.

When it was introduced, the UIDAI promoted it as a privacy-respectful mechanism that also solved problems such as lack of connectivity in rural areas and problems with Aadhaar’s fingerprint and iris authentication.

4) Regulating entities in the Aadhaar ecosystem: The biggest problem with India’s biometric programme has been with its sprawling ecosystem. This includes state governments, enrolment partners and private entities that use Aadhaar.

This was a grievance raised by petitioners before the Supreme Court and acknowledged by the five-judge bench. The Bill looks to counter some of this criticism by first allowing entities to perform authentication “only when they are compliant with the standards of privacy and security specified”.

Secondly, the Bill gives greater regulatory powers to the UIDAI to issue directions to any “entity in the Aadhaar ecosystem”, as well as enhance “restrictions on sharing of information by requesting entity”. The amendments also crucially give the Aadhaar body power to levy civil penalties when entities within the ecosystem mess up.

Privacy advocates feel that this isn’t enough to tackle the problem of Aadhaar-related fraud.

“There is no indication that either the finance ministry or the UIDAI has attempted to address these security lapses in the Aadhaar ecosystem. Allowing and encouraging the use of Aadhaar-based authentication by private entities will result in further scams and theft,” the Rethink Aadhaar statement notes.

Secondly, the Bill gives greater regulatory powers to the UIDAI to issue directions to any “entity in the Aadhaar ecosystem”, as well as enhance “restrictions on sharing of information by requesting entity”. The amendments also crucially give the Aadhaar body power to levy civil penalties when entities within the ecosystem mess up.

Privacy advocates feel that this isn’t enough to tackle the problem of Aadhaar-related fraud.

“There is no indication that either the finance ministry or the UIDAI has attempted to address these security lapses in the Aadhaar ecosystem. Allowing and encouraging the use of Aadhaar-based authentication by private entities will result in further scams and theft,” the Rethink Aadhaar statement notes.