Sankalp Srivastava
Introduction
This article is written broadly in the context of the documented categories of misuse of the Aadhaar regime to impose mandatory authentication by private players and the State. For instance, private service providers continue to make Aadhaar mandatory for availing their services. In many cases, it goes unreported, but there are documented instances of this occurring. These instances are alarming, considering that heavily regulated private entities like banks have adopted this procedure. Furthermore, there are examples of such instances having received adjudicative deliberation due to overreach by the State. Such as, when the Election Commission of India was compelled to give an undertaking that it shall not make Aadhaar card linkage mandatory, or the Delhi High Court’s decision on the prima facie unlawfulness of a Delhi Government circular due to violation of the principles laid down in Justice K.S Puttaswamy (Retd.) and Another v. Union of India ( “Aadhaar judgment”)
The instances of misuse of Aadhaar listed above inform the scope of the article. However, more categories have been documented, such as cases where there is a difference in negotiating power between the requesting entity and the individual providing their Unique Identification Number, such that they cannot avail service from an alternate entity. This difference is most visible in adopting DigiYatra at airports as a “seamless” procedure and in the instance of COVID-19 vaccinations. Both are instances where Aadhaar authentication is introduced when citizens are availing of a crucial service. The opportunity cost of not availing the service, or delayed service in these cases, compounds the lack of negotiating power described above. Moreover, there is a lack of responsive measures to address data breaches that have occurred regularly for the past few years.
This article is an exposition of the legal issues surrounding the widely occurring Aadhaar-based identity verification procedures (“Aadhaar authentication”). It does so by successively covering the content and context behind the legal and regulatory regime governing Aadhaar authentication, the instances of adjudication where the issue of Aadhaar linkage came up before courts, and subsequently, the procedural implications of the practice being ignorant of privacy rights and principles. The article then offers a solution to the oversight at a structural level, which involves equipping the executive to make better decisions through organisational initiatives that enable adherence to principles, regulators utilising penalties, and public consultation. The article concludes with thoughts on the relationship between fundamental rights and a Rule of Law deficit in Indian privacy law.
Overview of Law Governing Mandatory Authentication via Aadhar
When it comes to the mandatory authentication procedure imposed on individuals availing private services, examining what the legal regime has delineated for such circumstances is useful.
Section 8 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 has most notably, since its inception, provided for the requirement of an alternative to submission of identity verification via Aadhaar. Non-compliance with the requirements of this section has been codified as a distinct penalty under the Aadhaar Act.
Further, requesting entities are bound by the Regulations to comply with all rules, regulations, policies, manuals, procedures, specifications, standards, and directions issued by the UIDAI via the Aadhaar (Authentication and Offline Verification) Regulations, 2021. Most notably, Regulation 5 provides that the requesting entity must provide the information specified in Section 8 (regarding alternatives to submission of identity information) at the time of authentication.
Section 4(6) – of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is another crucial provision with a history which says that amongst the requirements to be fulfilled by the requesting entity during the procedure of verification, is that of stating that the individual has an alternate means of identification. This is important because the identity verification procedures, in many cases, have been done historically with other documentation. In fact, in some cases, Aadhaar authentication is being rejected to ascertain particular information about the individual. However, this procedural safeguard falls short of ensuring procedural fairness in toto, as shall be seen in later sections of the article.
The Context in Which The Law Operates:
Given the non-ambiguity in language utilised in the provisions above, it is worth examining the following information regarding the context in which they were enacted and subsequently amended:
- The effect of the Aadhaar judgment necessitated the change in law to incorporate the decision of the Hon’ble Supreme Court of India, concerning the mandatory requirement imposed by service providers who act as “requesting entities”. Service providers include private and governmental service providers as long as they satisfy the definitions of the Act that apply to them.
- The 2016 enactment contained a provision for authorising private companies to collect data in an uncontrolled manner in Section 57. In the Aadhaar judgment, the Supreme Court struck down the clause to the extent it states that Aadhaar can be used without restriction by private entities if it is authorised by “any contract to this effect”.
Presently, there is also the context of the further changes made, such as the proposed amendments to the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020, and the recent instituted amendments to the Aadhaar (Authentication and Offline Verification) Regulations, 2021.. These changes demonstrate the extent to which delegated legislation can occur that can affect citizens’ rights prejudicially.
Overview of Adjudication on the Subject
There have been a few instances where the question of mandatory Aadhaar authentication has come up before adjudication by the courts. In Noel Harper v. Union of India and Ors., the Supreme Court of India read down the provision in the Foreign Contribution (Regulation) Act, 2010, which provided for Aadhaar as the only option for identity verification for completing the processes under the Act. It is arguable whether the nuances of this interpretation, which operates ostensibly by placing Indian nationals on a similar footing as foreign nationals, would translate to actual practice due to the ambivalence surrounding other relevant instances where State’s formulated practice needs to be compliant, as discussed in the beginning of this article already.
Another case where the courts displayed sensitivity regarding the Aadhaar linkage is the case involving the linkage of Universal Account Numbers (“UAN”)s with the Aadhaar. The practical difficulties of Aadhaar took centre stage in the case titled Association of Industries and Institutions v. Union of India and Another. Regrettably, before the Delhi High Court could adjudicate on the issue of whether the seeding of the UAN with Aadhaar was permissible in light of the Aadhaar judgment’s observations made in this regard, the petitioners made a request to withdraw the writ petition owing to the interim orders made in the case.
The above two cases are instances in which a full determination of the rights of individuals could not be realised fully. While the Supreme Court in the Aadhaar judgment specifically gave an example of employment benefits such as pension being those that accrue to the individual and hence are excluded from the bar to illegality of Section 7, there is a diverse range of cases where such individual freedoms can be restricted. In this circumstance, one need only glance at the matters already in receipt of adjudicative deliberation by various courts ,which range from linkage by telecom service providers to linkage with electoral rolls. It emerges that a case-by-case analysis will be necessary and the watchfulness of citizens in this regard will be invaluable.
And What of the “Handmaiden of Justice”?
There is significant ambiguity regarding privacy breaches, occurring as they do on an abstract level within the technological realm in most current instances. While procedural fairness is the cornerstone of any law, it has often been called the “handmaiden of justice” in devising innovative remedies for petitioners under common law. However, the issue at hand concerns a more foundational premise of the law that has been established and reiterated in an equally eloquent manner, allowing for unfair procedures to be challenged under Article 14 of the Constitution of India. Recently, in a division bench judgment, the Hon’ble Supreme Court reaffirmed the position of procedural fairness as a right in itself, which must be assessed regardless of the effect of procedural lapses on the outcome of a case. This is a valuable proposition of law, due to the fact that in many cases, privacy breaches which occur in the digital sphere have a scope that is unforeseeable.
A plausible theoretical justification for the State’s continued breaches of law governing mandatory Aadhaar authentication is that perhaps the Indian State does not govern conscientiously, especially in regard to areas where two views are possible – namely, in unadjudicated cases or even merely discretion-offering instances. The extent to which judges are bound by “principles” other than merely “legal standards” is what Ronald Dworkin discusses in what has been aptly called his “Doctrine of Judicial Discretion”, whereby it can be said that judges act within a frame of possible interpretations to the frame of reference, particularly in “hard cases”. It is in these situations that the effectiveness of a law (in this case, the Aadhar judgment) is put to test, not in the least by the application of the principles of delegated legislation to executive officials who may be placed with the authority to exercise such discretion.
It is also necessary to challenge the validity of the practice and procedure of mandatory Aadhaar authentications on the notion of implied consent, seeing as it is a convenient argument liable to be invoked in the public sphere. The Right to Privacy is considered a fundamental right after the 9-judge bench judgment of the Supreme Court of India in Justice K.S. Puttaswamy and Ors. Vs. Union of India (UOI) and Ors. affirmed the Right to Privacy’s existence in Indian law.
Considering this unassailable status of the Right to Privacy, the doctrine of waiver cannot be said to apply to the Right to Privacy inherent in the enrolment and use of an Aadhar Unique Identification Number, since this doctrine does not extend to the fundamental rights enshrined in Part III of the Constitution of India. There is ample jurisprudence on the non-derogable position of Fundamental Rights, stemming from the landmark case of Olga Tellis v. Bombay Municipal Corporation which signifies the coverage of all forms of practice – from arbitral decrees by consent to State law that seeks to pose restrictions on a Fundamental Right.
Curing the Defect- How Might Stakeholders Proceed
To be sure, the problem of non-compliance is a many-headed hydra that is omnipresent within the Indian regulatory space. Almost simultaneously, many Indian legislations have witnessed a rise in suits that request the State to act on its own laws. In the case of the Mental Healthcare Act, 2017, it was the lack of formation of Mental Health Review Boards, whereas in the field of Environmental Laws, a comprehensive overview of compliance with environmental laws was initiated by the National Green Tribunal that identified the appointment of staff as one of the reasons for deficit compliance and monitoring. This has also been the case with the field of digital governance, where the Cyber Appellate Tribunal’s functioning has faced hiccups due to non-availability of a chairperson previously, while it has now been merged with the Telecom Dispute Settlement and Appellate Tribunal. It would seem that regardless of the problems in equipping tribunals and their staff to discharge their functions, there have been new adjudicatory bodies created to deal with complaints in the digital sphere, such as the Data Protection Board under the Digital Personal Data Protection Act, 2023 and the Designated Appeals Committee under the Telecommunications Act, 2023.
The enactment of legislation is just the first step of creating a compliant regulatory environment, which takes place in a much more organic process which necessarily cannot preclude bringing stakeholders on board. In the area of digital governance, this stakeholder is in major part the staff, at every level of government, that can be expected to implement or review the implementation of the laws. Hence, as an illustration, this includes equipping both the police officer who files an FIR under a constitutionally invalid IT Act provision and the member of the executive who ostensibly creates a consent-violating airport signup procedure for facial recognition. This is not in the least because of the application of the doctrine of judicial discretion to delegated legislation framed by the executive, but can also be attributed to their strength as an epistemic community to shape compliance and indeed even adjudication in their quasi-judicial capacities which are ever-expanding. In other words, administrators and bureaucrats are identifiable as a community which has cohesive values and similar policy aims and that can be utilised for effecting better rulemaking or procedure formulating.
It may well be true that Indian executives operate with an eagerness to utilise Aadhaar authentication for services, whereas the State’s non-adherence to recognised privacy principles can be traced back to the pre-Aadhaar judgment era. Hence, equipping the executive would necessarily entail a degree of awareness about the principles of privacy, which is best attained through organisational initiatives for this purpose – including training and updating standard operating procedures, to name a few. This has been attempted by the Unique Identification Authority of India (“UIDAI”) when it communicates with government departments regarding the utilisation of Aadhaar authentication for delivery of subsidies. However, it must concurrently discharge its burden to enforce the provisions of the Aadhaar Act. Specifically, the UIDAI must diligently exercise its powers as the only institution or person empowered under the Aadhaar Act to institute complaints before the Adjudicating Officer. The report of the Comptroller and Auditor General is also instructive in this regard, as it advises suspension of those Authentication Service Providers which do not adhere to auditing requirements, as it is a way to ensure compliance with the Aadhaar Act.
The effect of the breach of parliamentary conventions on public consultation has become the norm as a vast majority of lawmaking occurs without adherence to the policy framed for this purpose in 2014. It is only through public consultation that a culture of adherence by the executive is created, because through this process of deliberation the State engages in making a law that is most enforceable and aware of its impact on fundamental rights.
Conclusion
Mandatory Aadhaar authentication procedures are a serious concern for the cybersecurity and digital privacy rights of individuals. In turning a blind eye to departmental and private sector misuse, the Indian State only implicitly warrants damage to the Rule of Law. Coercion and lack of monitoring make illegal mandatory Aadhaar verification procedures occur with impunity. This successfully cultivates an oppressive legal regime that risks collapsing due to inherent contradictions, although this will not be the first time blatant disregard to clear regulatory or judicial prohibition has occurred. At the heart of these legal problems is the inherent defect in having a Unique Identification Number linked with every private and government service , mostly occurring illegally in the “blind spot” of the State’s purportedly watchful eyes.
The author is an independent researcher, B.A. LL.B. (Hons.), graduated from Symbiosis Law School, Pune in 2019.
NUALS Law Journal 