[Co-authored with Renuka Sane]
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ["the Aadhaar Act"], as the name suggests, aims at targeted delivery of subsidies, benefits and services by providing unique identity numbers based on an individual's demographic and biometric information. Enrollment into Aadhaar is, in principle, voluntary - both as per the Central Government's own stand and repeated orders of the Supreme Court since 2013. The Government has, however, slowly been linking government (and other services) to the Aadhaar card. Since January 2017, the Government has issued 22 notifications making Aadhaar mandatory for receipt of a range of services, ranging from the Mid-Day Meal scheme to maternity benefits. The Aadhaar number is likely to become a pre-requisite for filing income tax returns and applying for a PAN card.
As of March 2017, more than 1.1 billion individuals have been enrolled in the system and 4.9 billion authentication transactions have taken place. In the process, the Government has expanded the scope and coverage of Aadhaar while the Supreme Court has yet to decisively settle questions about constitutional challenge.
In this article, we ask if the legal foundations on which the Aadhaar operates match up to the requirements of a program that is likely to touch the lives of all citizens of India. Can we, as citizens of India, be satisfied that there are enough checks and balances in the functioning of Aadhaar?
This is important as we have already started seeing implementation problems in the form of failure of biometric authentication, server and connectivity problems, cryptic error messages, and the irrevocability of the biometric, all of which have left the Aadhaar number holder and intended recipient of a subsidy without any remedy. As well, in the absence of an over-arching privacy law, our regulatory surveillance architecture is heavily weighted in favour of the State leading to the very real possibility of strengthening mass surveillance with little regard for the effect on individuals' rights to privacy.
What should the legal framework provide?
A program such as Aadhaar, should be built on sound legal foundations. At the very least, the Aadhaar scheme should be able to guarantee first, good governance by the Unique Identification Authority of India ["UIDAI"], the statutory body responsible for the functioning of the Aadhaar system; second, privacy protection from the State and the private sector against the misuse of the Aadhaar number; third, security protection against data breaches; and fourth, an effective grievance redress mechanism against mistakes, deception, and abusive practices.
We evaluate the Aadhaar Act and the subsequent regulations on two issues namely their scope and ambit, and security standards. In a follow up article, we will focus on the privacy, accountability, and enforcement concerns that arise in the current legal framework.
Concerns about the Aadhaar Act
In a recent paper, Towards a privacy framework for India in the age of the internet, we proposed a privacy framework that incorporated universally accepted privacy principles and analysed the Aadhaar Act against these benchmarks. Our critique of the Aadhaar Act focused on the lack of clarity surrounding the scope and ambit of the Act; the absence of any meaningful provisions on consent; the omission of privacy considerations; the role of private companies; and inadequate redress mechanisms.
The Act leaves too much to be specified by the Regulations. For instance, the definition of biometric information [Section 2(g)], the procedure for sharing [Section 23(2)(k)], and publication [Section 29(4)] of an Aadhaar number holder's information are left to be specified by regulations. This causes uncertainty about the scope and ambit of the Aadhaar Act, apart from concerns about the lack of Parliamentary scrutiny over any subsequent Regulations. In fact, the constitutionality of the Act can be challenged on the ground that it delegates essential legislative functions, including important decisions on policy, to the Executive, and lacks sufficient control over its exercise (See Re Delhi Laws Act, AIR 1951 SC 332; Avinder Singh v State of Punjab, AIR 1979 SC 321; and Ajoy Kumar Banerjee v UOI on excessive delegated legislation).
Concerns with the Aadhaar Regulations
In an attempt to address some of these criticisms, the Government, through the UIDAI, released detailed Regulations on enrollment, authentication, data security, and sharing of information in September 2016. These Regulations are also incomplete for two reasons.
Lack of clarity on the scope and ambit of the Regulations
As with the Act, the UIDAI, which was expressly tasked with notifying the Regulations under the Aadhaar Act, has failed to exercise such power delegated to it, causing further uncertainty about the working of the Act and the Aadhaar Scheme. The UIDAI, while notifying various regulations in September 2016, left multiple aspects of the functioning of the Aadhaar Scheme to be ``specified by the Authority'', i.e. to be specified by itself at a future undetermined date.
For instance, the UIDAI was empowered under Section 23(2)(a) of the Act to "specify, by regulations, demographic information and biometric information required for enrollment and the processes for collection and verification thereof." However, Regulations 3(2) and 4(5) of the Enrollment Regulations leave the ``standards'' for collecting biometric and demographic information, required for enrollment, to be specified by the Authority for this purpose. Thus, despite being tasked with laying down the regulations to govern the enrollment and collection of demographic and biometric information, the UIDAI's own Enrollment Regulations leave the specification of such standards to be notified by itself at some point in the future.
Similarly, Regulation 13(2) of the Enrollment Regulations on the generation of Aadhaar numbers states The Authority shall process the enrollment data received from the Registrar, and after deduplication and other checks as specified by the Authority, generate the Aadhaar number. There is no guidance to the UIDAI on what kind of checks should be laid down, and principles that have to be followed in the interim, before further regulations are notified.
Through the four substantive regulations, the phrase specified by the Authority has been used 51 times (See Regulations 3(2), 4(5), 7(2), 8(2), 8(4), 11(2), 11(5), 13(2), 14(2), 17, 19(c), 20, 22(2), 23(5), 25(1), 29(2), 31(2), 32(1), 32(2), 32(3), 34 and Rules 17, 19, 22, 23, 24, 25, and 26 of the Code of Conduct in Aadhaar (Enrollment and Update) Regulations 2016; Regulations 6(2), 7(3), 12(1), 12(2), 12(4), 13(1), 14(1)(d), 16(8), 18(1)(c), 18(1)(d), 18(2), 19(1)(a), 19(1)(h), 22(2), 22(3), 23(2)(a), 28(3), and 28(4)(a) of the Aadhaar (Authentication Regulations); Regulations 4(2), 5(a), and 6(1) of the Aadhaar (Data Security) Regulations; and Regulations 4(1) and 4(2) of the Aadhaar (Sharing of Information) Regulations, 2016).
In some cases this may be justified because the standards relate to technical aspects such as the collection of information, the mode of updating residents' information, convenience fees, and certification processes; which may require a separate set of rules outside the regulations. However, important issues surrounding the enrollment, storing, and sharing of data -- issues that determine how our sensitive, personal information is collected, authenticated, stored, used, and shared with third parties -- have been left unspecified. This does not seem to have deterred the Government from pushing forward with the Aadhaar project.
The incompleteness of the various Regulations notified by the UIDAI underscores the lack of specificity in the working of the Act and the Regulations. The powers delegated to the UIDAI have in a sense been 'delegated' to its future self, to be notified when the UIDAI deems it appropriate. There is thus complete uncertainty about when, and whether, any future regulations will be notified by the UIDAI or whether the enrollment process will continue in this legal vacuum.
Lack of specification of security standards
The incompleteness of the Aadhaar Regulations is not limited to the Aadhaar (Enrollment and Update) Regulation. It extends to other Regulations as well, such as the Aadhaar (Data Security) Regulations. Notably, Section 23(2)(m) of the Aadhaar Act empowers the UIDAI to specify, by regulations, "various processes relating to data management, security protocols and other technology safeguards under this Act." Given the vast quantities of sensitive, personal data that is being stored in one centralised repository, one would imagine that the UIDAI would be quick in clarifying all the security protocols and technology safeguards. However, through Regulation 3(1) of the Data Security Regulation, the UIDAI does not lay out any specific measures for ensuring information security, instead only stating that: The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies.
Regulation 5(a) then further requires service providers engaged by the UIDAI to ensure compliance with such information security policy ``specified by the Authority''. Such a policy, to the best of our knowledge, has not yet been notified.
Thus, despite the enactment of the Aadhaar Act and the notification of the Aadhaar (Data Security) Regulations 2016, the failure to notify/specify an information security policy has meant that the fear of identity theft remains. In fact, is only exacerbated in a country such as India, which does not have an adequate data protection regime, both in terms of the relevant legal provisions and effective enforcement mechanisms.
The Aadhaar regulations raise an important question on the consequences of a regulator's (UIDAI) failure to exercise the power that has been delegated to it, and to instead, postpone the specification of important standards/procedures to a future, undetermined time. In the meanwhile, the UIDAI is carrying on, and in fact, hastening, the process of enrollment, without any of these guidelines and processes having been notified. Thus, the various processes under the Act are happening in some sort of legal vacuum. This is a cause for worry.
Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is Associate Professor at the National Institute of Public Finance and Policy, New Delhi. Indian Statistical Institute, Delhi. We thank Anirudh Burman, Pratik Datta, Shubho Roy and Bhargavi Zaveri for useful discussions.