Privacy Vs. Effective Administration: Aadhaar Amendment Act
The Aadhaar and Other Laws (Amendment) Bill, 2019 was passed by Rajya Sabha on June 24th, 2019. It replaces an ordinance promulgated on March 2, 2019, which aimed to circumvent Supreme Court judgement of September 2018, which struck down Section 57 of the Aadhar Act that permitted private entities like telecom companies and banks to use Aadhaar data.
Salient Features
- Offline verification of Aadhaar number holder: The amendment allows ‘offline verification’ of an individual’s identity, without authentication, through modes specified by the Unique Identification Authority of India (UIDAI) by regulations. It will be based on informed consent and Aadhaar using agencies will not collect, use or store Aadhaar number or biometric information.
- The Bill amends the Telegraph Act, 1885 and the Prevention of Money Laundering Act (PMLA) 2002, so that banks and telecommunication companies can verify the identity of their clients by voluntary online authentication (e-KYC) or offline verification of Aadhaar or any other documents notified by government. Moreover, no person shall be denied of any service for not having an Aadhaar number.
- Entities that can use Aadhaar: An entity may be allowed to perform authentication through Aadhaar, if the UIDAI is satisfied that it is: (i) compliant with certain standards of privacy and security, or (ii) permitted by law, or (iii) seeking authentication for a purpose specified by the central government.
- Voluntary Use: Individual may voluntarily use his Aadhaar number to establish his identity, by authentication or offline verification and can be made mandatory only by a law of Parliament.
- Aadhaar for Children: Enrolling agency shall seek the informed consent of his parent or guardian before the enrolment of child. Moreover, after attaining eighteen years of age, the child may apply for cancellation of his Aadhaar.
- Disclosure of Information in Certain Cases: It has made the disclosure of information criteria stringent by elevating the rank of issuing authority or court. E.g. High Courts (or above) replaced District Court (or above) and Secretary replaced a Joint Secretary.
- UIDAI Fund: It created the Unique Identification Authority of India Fund crediting all fees, grants, and charges received by the UIDAI and will be used for expenses of the UIDAI, including salaries and allowances of its employees.
- Complaints: Earlier courts could take cognizance of an offence only if the UIDAI registers a complaint but now individuals can also register complaints for impersonation or disclosure of their identity.
- Aadhaar Ecosystem: Amendment defines the Aadhaar ecosystem to include enrolling agencies, requesting agencies, and offline verification-seeking entities and allows the UIDAI to issue necessary directions for the discharge of its functions under the Act.
- Complaints Adjudication and Penalties: UIDAI may initiate a complaint against an entity in the Aadhaar ecosystem for failure to (i) comply with the Act or the UIDAI’s directions, and (ii) furnish information required by the UIDAI. It will be adjudicated by officers appointed by UIDAI which may impose penalties of up to one crore rupees and Telecom Disputes Settlement and Appellate Tribunal shall be the appellate authority.
Indian Telegraph Act, 1885
- It governs the use of wired and wireless telegraphy, telephones, teletype, radio communications and digital data communications and entails exclusive jurisdiction and privileges on government for establishing, maintaining, operating, licensing and oversight of all forms of wired and wireless communications within Indian territory. E.g. Issuing of sim cards, use of satellite phones, amateur radio and receivers for plane-spotting etc.
- Section 5 of the Telegraph Act is commonly known as the wire-tapping clause and empowers government to take possession of any licensed telegraphs in case of a public emergency or in the interest of public safety.
- In People’s Union for Civil Liberties v. Union of India case, Supreme Court ruled that telephone tapping is a serious invasion upon an individual’s privacy. However, lawful interception can be carried out under certain circumstances mentioned in the wiretapping provision of the act.
Prevention of Money Laundering Act (PMLA), 2002
It was enacted in January 2003, and came into force from July 2005, which defines the offence of money laundering as an act of directly or indirectly attempting or assisting or being involved- in any process or activity connected with the proceeds of crime and projecting it as untainted property.
- It prescribes obligation of banking companies, financial institutions and intermediaries for verification and maintenance of records of client’s identity and transactions and furnishing information to the Financial Intelligence Unit-India (FIU-IND).
- FIU-IND was setup in 2004, as the central national agency responsible for receiving, processing, analyzing and disseminating information relating to suspect financial transactions.
- It is also responsible for coordinating and strengthening efforts of national and international intelligence, investigation and enforcement agencies in pursuing the global efforts against money laundering and related crimes.
Criticisms of the Amendment
- Amendment was brought to circumvent a Supreme Court order on the Aadhaar issue.
- It will help banks and telecom companies but it should have been extended to all regulated financial services firms, mutual funds, insurance and payment firms covered under the PMLA 2002, which cannot use e-KYC immediately.
- Aadhaar collects sensitive data about individual and sharing it with private entities, or in case of data theft or hacking, may lead to breach of privacy.
- No method to ensure safety of offline data.
- It should have been brought after passing data safety bill based on Justice Srikrishna Committee report, to avoid threat of data security.
Arguments in Support
- Parliament has the legislative powers to undo a Supreme Court judgement.
- Aadhaar is a foolproof system that employs strong end-to-end 2048-bit encryption and over 123 crore people are currently using it in the country. Aadhaar system has enough safeguards to ensure privacy of the cardholder, which should allay fears of data leakages.
- Aadhaar can be extended to other financial agencies after the formation of data safety regulatory authority by passing data safety bill.
- Further, it discloses only name, father’s name, date of birth, residential address of the user and does not give out any information on medical records or details of caste, religion and community.
- Government reassured that it is bringing a comprehensive law for data safety, after consulting all the stakeholders, which will be based on Justice Srikrishna Committee report on data protection.
Way Forward
- Bring comprehensive legislation on data safety and its regulation, which is a burning issue after rising threat of cyber security attacks and cases of data theft worldwide. E.g. Data leaks and theft at Google and Facebook.
- Ensure the safety of offline data however minimal it is, to infuse faith in the UIDAI system.
- Follow the decree of Supreme Court and keep the use of Aadhaar voluntary and make it mandatory only to check leaks in welfare schemes. E.g. Saving leaks in subsidies via JAM trinity (Jan Dhan, Aadhaar and Mobile).
- Minimal use of forced disclosure of Aadhaar data and It’s transparent governance.
- Set accountability on the authorities empowered to take decision on disclosure.
- Information dissemination about data safety in Aadhaar and informational empowerment of people, to deter any misuse of Aadhaar data.