Modi Government’s Aadhaar Amendment Bill Violates SC Judgment

(This article was first published on 26 June 2019. It has been republished in the light of the Supreme Court on Friday, 22 November 2019 asking the Centre to respond to a plea challenging the constitutional validity of the amendments made in the law.)

The Aadhaar and Other Laws (Amendment) Bill 2019 is listed for debate and passage in the Lok Sabha today. The Bill was originally tabled back in January, but despite being passed in the Lok Sabha, was not passed by the Rajya Sabha prior to the dissolution of the Lower House for the general elections, leading to its lapse.

The Modi 1.0 government had promulgated an ordinance in February to bring the amendments in the Bill into being, but since this cannot be a permanent measure, the Bill has been reintroduced in Parliament in this session.

What Amendments is the Bill Seeking to Make?

The Bill includes amendments to the Aadhaar Act 2016, Indian Telegraph Act 1885 and Prevention of Money Laundering Act 2002.

The text of this Bill is the same as the ordinance and the original Bill. Law and IT Minister Ravi Shankar Prasad argued that the amendments were required because of what the Supreme Court said in its Aadhaar judgment of 26 September 2018.

The Bill includes 13 “salient features,” but the important ones are:

1. A specific provision in the Aadhaar Act allowing use of Aadhaar for authentication and offline verification on a voluntary basis (including for private services);
2. Explicit prohibition of denial of services for children and others unable to authenticate because of age, infirmity or illness;
3. Amendments to Section 33 of the Aadhaar Act, which allows disclosure of Aadhaar information in certain circumstances, ostensibly to comply with the Supreme Court’s directions;
4. Specifying a civil penalty of up to Rs 1 crore for contravention of the Aadhaar Act by anyone part of the “Aadhaar ecosystem”;
5. Amendment of the Indian Telegraph Act and the PMLA to specify Aadhaar as a mode of verification for clients for mobile services and financial services (banks) respectively.
6. Enrolment of children for Aadhaar can only be done with the informed consent of the child’s parent or guardian. Once the child attains the age of 18, they can ask for cancellation of their Aadhaar number. NOTE: The Supreme Court had also said people who had been enrolled before the Aadhaar Act 2016 should be given an opportunity to opt out, but the Bill does not provide a mechanism for this.
7. Deletion of Section 57 of the Aadhaar Act (the old provision used to link Aadhaar to private services).

On a cursory glance, the amendments could appear to be in compliance with the Supreme Court’s judgment from September 2018. The majority opinion authored by Justice Sikri had upheld Aadhaar as constitutional, and though it had held that it could not be used for authentication for private services, there was some ambiguity as to whether or not this could be done on a voluntary basis.

But do the amendments stand up to further scrutiny? Unfortunately for the government, not all of them do.

Problematic Amendment 1: Aadhaar Authentication for Private Services

Rewind to 2017, and the government appeared to be making Aadhaar mandatory to avail not just welfare schemes, but private services as well, despite the Supreme Court’s interim orders in 2015 which had prohibited this.

The most contentious of these attempts became the mandatory linkage of mobile numbers and bank accounts with Aadhaar, which finally made people who had ignored the warnings about Aadhaar’s linkage to welfare and benefits, sit up and take notice. The Supreme Court finally ordered interim stays on Aadhaar linkage (though these only came after the Centre agreed to postpone the deadlines) and of course in its final judgment in 2018, held this was unconstitutional.

Despite the judgment, private entities like Paytm and banks, continued to ask for Aadhaar, with some continuing to insist it was mandatory, while others claimed this could be on a voluntary basis, seeking to rely on an ambiguity in the judgment. The ambiguity arose from paragraph 367 of Justice Sikri’s majority judgment, which said:

However, this exception for voluntary usage was not mentioned anywhere in the final conclusions in the judgment, which instead merely said Aadhaar could not be used for authentication by private entities. This was not done on some sort of whim, but because it would not pass the test of proportionality, and the potential misuse of individual biometric and demographic information by private players, which “impinge on the right to privacy.”

The government will no doubt argue that the way they have structured things in the amendments ensures there is no violation of the right to privacy, since it is on a voluntary basis, requires informed consent, and requires any authenticating entity to satisfy the UIDAI of their privacy and security standards.

But this isn’t how the amendments actually play out, for a number of reasons.

First off, the use of Aadhaar for authentication/offline verification on a voluntary basis is only specified in the new subsections being added to Section 4 of the Aadhaar Act. The specific provisions amending the Telegraph Act (which applies for telecom companies) and the PMLA (which applies for banks) do not make Aadhaar voluntary. Instead, they say that the relevant entity “shall identify” clients (ie, perform KYC) using Aadhaar, passports or other any other form of identification notified by the central government.

The option of a passport is a false choice, since only 5.15 percent or so of Indians have passports, according to MEA data, and the government’s past record on notifying other forms of identification through subordinate legislation for Aadhaar has been consistently terrible.

The problem of excessive delegation to future subordinate legislation (ie regulations or rules) is one that runs throughout the amendments, and scuppers their ability to satisfy privacy concerns. Too many things are left to be notified subsequently by the Centre, including the supposed privacy and security standards, which have to be met before an entity can use Aadhaar for voluntary authentication, and the alternate means of identification for children or ill people which is meant to prevent exclusion from public services.

One way to address the privacy concerns would be if there were a strong data protection law in place which could prevent private entities from misusing Aadhaar data. Unfortunately, while the Srikrishna Committee submitted its report and draft data protection bill to the government way back in July 2018, no bill has been introduced in Parliament yet.

In response to objections to the introduction of the Aadhaar amendments on these lines, the Law & IT minister stated in Parliament that the data protection bill is ready, and will be introduced soon. Introducing the Aadhaar amendments before this would be putting the cart before the horse, as till such time as a data protection law is put in place (or the standards for privacy otherwise specified), the court’s privacy concerns are unlikely to be addressed.

According to Apar Gupta, Supreme Court advocate and Executive Director of the Internet Freedom Foundation, this would mean that,

There is also an argument to be made that it is impossible to amend the Aadhaar Act 2016 to allow usage of Aadhaar by the private sector, because of its designation as a Money Bill. When it was being debated in Parliament, a number of amendments to the then Aadhaar Bill were passed by members of the Rajya Sabha, including prohibition of private sector usage. The government got around these by designating the law as a Money Bill, which meant the Rajya Sabha’s approval wasn’t necessary anymore.

In his dissenting opinion in the Aadhaar judgment, Justice DY Chandrachud had found this to be a “fraud on the Constitution”, and so struck the whole Aadhaar Act down as unconstitutional. The majority opinion didn’t go so far, but as Raman Chima, Policy Director at Access Now says,

Problematic Amendment 2: Provisions on Disclosure of Information

The Aadhaar Act contains prohibitions against disclosure of Aadhaar information to anyone, and the UIDAI is supposed to ensure this information is kept secure and confidential.

However, Section 33 of the Aadhaar Act allowed for disclosures in certain circumstances:

• Under Section 33(1), where there was an order from a court not inferior to a District Judge, and the UIDAI had been given an opportunity to be heard by the court.
• Under Section 33(2), where a government officer not below the rank of Joint Secretary directed disclosure in the interests of national security.

The Supreme Court held that Section 33(1) had to include an option for the relevant Aadhaar holder to be heard by the court, not just the UIDAI.

The majority opinion also struck down Section 33(2) as it stood since a determination on national security needed to be made by an officer with a higher rank, and that any such direction could only be made with the involvement of a judicial officer (preferably a sitting high court judge).

While the proposed Aadhaar amendments make the necessary changes to Section 33(1), they fail to do the needful for Section 33(2). The only change proposed to this is for a Secretary rather than Joint Secretary to have the power to issue a direction in the interest of national security – no involvement of a judicial officer is brought in. This means the amendment clearly contravenes the apex court’s judgment, and is unconstitutional.

Will the Amendments Become Permanent Law?

The amendments have been drafted without any public consultation, which is unfortunate given the potential impacts that these amendments could have on the rights of citizens. Though it may be difficult to see any possibility on public consultation now that it has been introduced in the Lok Sabha, there remains a possibility for a Parliamentary committee to review the Bill and suggest amendments, in this House or the next.

When the amendments were originally introduced in the Lok Sabha, it was passed without any significant debate, despite its introduction being opposed by MPs Shashi Tharoor, NK Premachandran and Sougata Roy.

NK Premachandran also objected to the introduction of the Bill in Parliament on 24 June, saying:

Premachandran went on to point out that a data protection law was a prerequisite for any Aadhaar amendments, and listed all the problems discussed above.

There are certainly organisations and private citizens who have taken the same stance, and are likely to challenge these amendments in the Supreme Court. As described above, there are good grounds to challenge it, since the amendments suffer from the same flaws the Supreme Court had identified with the Aadhaar Act previously. The Bill cannot change the nature of the Aadhaar Act by allowing private company usage as this was precisely why the Supreme Court read down Section 57 of the Act in the first place.

Of course, this would require the filing of a writ petition challenging the Bill once it becomes law and for the Supreme Court to hear arguments on this point, provided of course that it gets passed by the Rajya Sabha – there is little chance it won’t make it through the Lok Sabha.

Did Private Companies in the Aadhaar Ecosystem Know About the Amendments in Advance?

One particularly concerning aspect of these amendments is that private companies seem to have known exactly how things were going to turn out, including that the government would go down the ordinance route if necessary.

While opposition MPs were caught on the wrong foot by the amendments, which were introduced without any notice, a report in Asia Times indicated that private companies involved in the Aadhaar ecosystem may have been aware of government plans to introduce these amendments back in September 2018, in the aftermath of the Supreme Court judgment.

The report includes a leaked audio recording of an alleged conversation between members of the iSpirt lobbying group, including (supposedly), Sharad Sharma, Sanjay Jain (former chief product manager for Aadhaar) and in-house legal counsel for Khosla Labs, a major private player in the industry. The three of them discuss their strategy for addressing the consequences of the apex court’s judgment, including whether or not they consider it to have banned use of Aadhaar for private services altogether.

The position of the speakers is clear: that the judgment doesn’t preclude usage of Aadhaar in the private sector, though this would need a new legislative enactment. During the conversation, one of the speakers seems to indicate he knew what the government’s next steps were, including somehow knowing that an ordinance was in the works.

The subsequent speaker seems to indicate that they are not quite aware what view the government has taken on this matter, and says that the ordinance or amendments are essential to bring the law in consonance with the Supreme Court’s judgment, either which way. He is still confident that things will end up in a way favourable to iSpirt’s interpretation, and that after the law is amended, private players will continue to be allowed to use Aadhaar on a non-mandatory basis.