Right to Informational Privacy Vs. Right to Receive Benefits: the Intricacies of the Aadhaar Battle the Supreme Court of India

Right to Informational Privacy vs. Right to receive Benefits: The Intricacies of the Aadhaar Battle

The Supreme Court of India, in the case of Justice K.S. Puttaswamy & Anr v Union of India[1] (“Aadhaar Judgement”), combined with other writs and petitions, adjudicated on the legal validity and constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) and the overall scheme of Aadhaar in general. At the heart of the controversy, stood, and still persists in the backdrop, fundamental right to informational privacy juxtaposed with fundamental right to receive benefits, subsidies and other government services. It must be noted that on a conjoint reading of Universal Declaration of Human Rights, Directive Principles of State Policy, fundamental rights, as enshrined in the Constitution of India, and the judgement of the Supreme Court of India in the landmark case of Justice K.S. Puttaswamy & Anr v Union of India[2], it appears that both of these fundamental rights are recognised as the essence and basis of human dignity and autonomy.

For the purposes of this Newsletter, we have adopted a two-pronged approach towards the issue as mentioned above. Firstly, as illustrated in Figure 1 below, we have endeavoured to flesh out the Supreme Court’s analysis on whether the encroachment of the State on informational privacy serves a legitimate purpose and is therefore proportional to the aim that the State seeks to achieve. Secondly, as illustrated in Figure 2 below, we have recorded the response of the Supreme Court and the key decisions therein on whether the Aadhaar Act, as it stood, before the Aadhaar Judgement, upheld the various principles of data privacy as enshrined in the draft Personal Data Protection Bill 2018 (“Draft Bill”), European Union General Data Protection Regulation 2016 (“EU GDPR”) and the existing data protection regime of India comprising of Section 43A and Section 72A of the Information Technology Act, 2002, as amended from time to time, (“IT Act”) and the rules thereunder.

I. ENCROACHMENT ON INFORMATIONAL PRIVACY

1. How does the Aadhaar Act encroach upon the informational privacy of an individual?

S 3 of the Aadhaar Act mandates that in order to obtain an enrolment number or an Aadhaar card, an individual is required to part with certain information, i.e., a) demographic information such as name, date of birth, address, gender and e-mail and mobile number (being the optional information); and b) biometric information such as fingerprints, iris scan etc. which is considered to be ‘Personal Sensitive Information’ under the Informational Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Further, for the purpose of receiving any subsidy, benefit or service and as mandated under S.7 of the Aadhaar Act, an individual is required to undergo authentication that affirms his/ her identity.

The concerns that arise in the aforesaid context is that, during the enrolment process, an individual has to part with certain personal information, including, sensitive personal information. Further, the agencies that collect and verify such information of the individuals are more often than not private entities thereby making such information vulnerable to misuse. Furthermore, the information is

[1] Writ Petition (Civil) No. 494 of 2012 decided on 26 September 2018. [2] (2017) 10 SCC 1. stored and maintained in the Central Identities Data Repository (“CIDR”) under the supervision of the authority established under the Aadhaar Act. The necessary inference from this is that the CIDR has logs of information with regards to the time and manner in which the individual avails any particular service/ subsidy/ benefit. It appears that these information silos individually may seem inconsequential, however if such information is aggregated, it provides a picture of beings thereby raising the allegation of excessive surveillance by the State.

2. Is such encroachment lawful and necessary to fulfil a legitimate State aim?

The Aadhaar Judgement adopted a settled principle of law that an encroachment on fundamental rights, such as informational privacy in this case, can hold ground provided that it satisfies the following conditions, as more specifically illustrated in Figure 1:

Encroachment of Informational Privacy Figure 1: Test for determining the Requirement of Legitimate State Doctrine of justifiability of Law aim Proportionately restricting the right to informational privacy Legitimate goal stage

Rationale connection stage

Necessity stage

Balancing stage

a) Requirement of Law

In accordance with the condition of “Requirement of Law”, it is imperative that the State action is sanctioned by a law. In the present case, the dispute arose on the ground that since the Government passed the Aadhaar Act in 2016 therefore the Aadhaar scheme that began from 2009 did not have the required backing of law. The Supreme Court adjudicated on the said dispute and held that the enrolment and authentication process conducted after the enactment of the Aadhaar Act has the required backing of law and is therefore valid. With regards to the enrolment under the Aadhaar scheme that began from 2009, it was held that S 59 of the Aadhaar Act specifically ratifies and provides legality to the all the enrolments under the Aadhaar Scheme retrospectively.

b) Legitimate State Aim

In the concept of welfare state, where measures are taken to ameliorate the sufferings of the downtrodden, the aim of the Aadhaar Act appears to ensure that the benefits, subsidies and services that forms a part of almost 3 (three) percent of the Gross Domestic Product (“GDP”), do not get pilfered and dissipated away by frauds and duplicates in the system, and reach the populace for whom they are designed/ implemented. Accordingly, the Supreme Court held that such right to receive benefits and subsidies has been considered as the essence of human dignity and the State endeavours in ensuring or furthering such right satisfies the condition of “Legitimate State Aim”. c) Doctrine of Proportionality

There are four limbs to the doctrine of proportionality as discussed in the Aadhaar Judgement and as illustrated in Figure 1 above. The first limb of the doctrine i.e. legitimate State aim has already been covered in the point hereinabove. Accordingly, we have listed down the following issues as deliberated by the Apex Court:

 whether the State by means of the Aadhaar Act and the regulations therein furthers the aim that it seeks to achieve (Rationale Connection Stage)?;  whether there are any less restrictive means that pursue the legitimate aim of the State or is there any alternate enactments to Aadhaar (Necessity Stage)?  whether the benefits of Aadhaar outweighs the disproportionate effect that it has on the other rights of the citizens (Balancing Stage)? i. Rationale Connection Stage

One of the key goals of Aadhaar is to issue a unique identity to the residents of India. Hence, each enrolment is biometrically de-duplicated against the biometrics of all residents, as is stored in the CIDR, to issue the Aadhaar number. This invariably implies that the mechanism to issue an Aadhaar number takes care of the duplication in the system.

Further, S 4(1) of the Aadhaar Act states that an Aadhaar number, issued to an individual, shall not be re-assigned to any other individual, thus making each individual under the Aadhaar enrolment unique. Furthermore, reference must be made to S 5 of the Aadhaar Act, wherein it is mandated that the authority shall take special measures to issue Aadhaar number to special categories of person and to such other person who do not have any permanent dwelling house, thereby succinctly identifying the real beneficiaries of the State’s benefits and schemes and S 7 of the Aadhaar Act makes the establishment of this identity a condition for receipt of a subsidy, benefit or service. A conjoint reading of the aforesaid provisions leave no iota of doubt that the basic structure of the Aadhaar Act seeks to further the aim that the State seeks to pursue.

ii. Necessity Stage

In the instant case, the petitioners were not able to successfully demonstrate any less restrictive alternative to identify real beneficiaries, apart from the system of unique identity in Aadhaar and regulations therein as explained hereinabove, that may further the legitimate aim that State is seeking to achieve. Therefore, the basic structure of the Aadhaar held ground at the Necessity Stage. iii. Balancing Stage

The court assessed the effects of the basic structure of the Aadhaar Act on the other fundamental rights, including informational privacy and whether such effect is disproportionate to the advantage that it carries. The court noting the allegation on the surveillance architect that the Aadhaar structure promotes, observed that, during the enrolment process minimal data is collected from the individuals and no information pertaining to caste, religion, tribe, medical history, income entitlements or the purpose for which the authentication is undertaken is disclosed and therefore such information is not collected, maintained, or stored by the UIDAI. This is to say that the authentication mechanism in the Aadhaar Act is purpose blind; accordingly, it was held that it is extremely difficult to create profile of an individual simply on the basis of biometric and demographic information maintained in the CIDR.

Further, it was contended that the architecture of Aadhaar is probabilistic and therefore it may result in exclusion or tendency to exclude the beneficiary from receiving any subsidy, benefit or service. For an instance, consider that if a person having a valid Aadhaar card wants to avail a particular benefit and in this regard submits the information to the authenticating service agency, there are chances that the authentication might fail because of the failure of the authentication mechanism, thus excluding such beneficiary from receiving the benefits. However, the State demonstrated that the authentication mechanism has the accuracy of 99.86 % and has further issued guidelines and scheme on exception handling, and in addition has the oversight of Technology and Architecture Review Board and Security Review Committee. Therefore, the court held that the basic structure of the Aadhaar Act has struck a fair balance between the right to informational privacy of an individual with the right to life of the same individual as a beneficiary.

II. AADHAAR ACT vs. DATA PRIVACY: ODE TO AN OVERARCHING REACH OF THE AADHAAR ACT

Pursuant to the aforesaid analysis of the constitutional validity of the Aadhaar Act, it is important and befitting to look at various aspects of Aadhaar Act in light of the basic data privacy principles as enshrined under the existing data protection regime in India, EU GDPR and the Draft Bill. In order to understand the Apex Court’s response to the said aspects of the Aadhaar Act, reference must be made to Figure 2, as provided below.

In Figure 2 below, the colour ‘red’, as is used for ‘treatment of children’ and ‘storage limitation’, illustrates that the Aadhaar Act did not uphold these principles in spirit. The colour ‘green’, as is used for ‘data protection and security’, illustrates that the Aadhaar Act and the regulations made there under adequately protects the data collected from the individuals. Lastly, the colour ‘grey’, as is used for ‘data minimisation’ and ‘purpose limitation’, illustrates that the Court was not convinced in entirety that the Aadhaar Act promotes the principles of data minimisation and purpose limitation. Data Protection & Security

Data Treatment Minimisati of Children on

AADHAAR ACT 2016

Purpose Storage Limitation Limitation

Figure 2: Analysis of Aadhaar Act against the principles of data privacy

1. Does Aadhaar Act provide for storage of data, as required for the purposes of authentication, for a reasonable and limited period of time?

In accordance with the data privacy principles, it is important that a data processor, i.e. Unique Identification Authority of India (“UIDAI”) does not store/ maintain the collected data for a longer period of time, other than what is required for the authentication purposes, in order to restrict any vulnerability of misuse of such data. This assumes greater importance in the case of Aadhaar Act as it does not give an individual the right to be forgotten or right to request the erasure of the data.

Aadhaar (Authentication) Regulation 2016 (“Authentication Regulation”) requires the UIDAI to retain the authentication transaction data for a period of 6 (six) months and archive the same for a period of 5 (five) years thereafter. Similarly, Regulation 18 (3) & 20 (3) of the said Authentication Regulation allow requesting entities and authentication service agents to retain the authentication logs for 2 (two) years and archive the same for a period of 7 (seven) years.

In the backdrop of the aforesaid, the Supreme Court noted that if the purpose of collecting such transactional data is solely authentication for affirming the identity of an individual and enabling such individual to receive the benefit, then such transactional data should not be retained or archived for a long period of time pursuant to completion of such authentication. Therefore, in absentia of right to be forgotten, the Court held that such transaction data can only be retained for 6 (six) months and be deleted thereafter by UIDAI and the entities as mentioned above.

2. Does Aadhaar Act provide for adequate treatment of children in terms of safeguarding informational privacy?

The data privacy legislations across the globe provide special emphasis on safeguarding the privacy of children naturally flowing from the concern of subsequent harm as they are not even capable of giving informed and fair consent.

In the similar vein, the Supreme Court held that, for the enrolment of children under Aadhaar Act, it is important to obtain the consent of their guardian(s) or parent(s), and thereafter once they attain majority, they should be given a right to opt out or exit from the scheme of Aadhaar if they choose to. Further, the Court emphatically held that no child should be denied benefit of any of the schemes even if due to any reason they are not able to provide Aadhaar number. All such schemes/ services /benefits shall be provided to them by verifying the identity on the basis of other documents available with them under applicable laws. Further, the Court held that right to receive education is a fundamental right under the Indian Constitution and therefore Aadhaar enrolment and authentication cannot be made a pre-condition for securing admissions in schools.

3. Does the Aadhaar Act and the regulations there under provide for adequate protection of the information or the data collected under it?

For the purposes of data protection, the respondents were able to demonstrate that the Aadhaar Act and Aadhaar (Data Security) Regulation 2016 (“Security Regulation”) provides for adequate protection of data at the current stage. With regards to vulnerability of misuse of Aadhaar Data at the time of enrolment and authentication by the private entities, the Court observed that at the time of enrolment the data collected by the private entity forthwith gets transmitted in the encrypted form to the CIDR thereby moving the data out of the reach of such private entities. Further, at the time of authentication, such authentication is conveyed through a leased line circuitry using secure protocols, thus the possibility of sharing the information with the private entities is eliminated.

On the point of hacking of CIDR, the Court observed that adequate firewalling and other safety features are adopted to secure the data. Furthermore, such biometric data in the CIDR is stored offline thus limiting the possibility of hacking.

On the front of foreign biometric solution providers, the Court observed that as the biometric data is stored offline therefore such data is outside the reach of such entities even though the source code remains with the foreign entities being their intellectual property.

Further, coupled with penal consequences for violation or leakages of data and several data security policies being in place, the Court held that the Aadhaar Act adequately protects the data and indicated that the Draft Bill is a step in the right direction for developing a robust data protection regime.

4. Whether the Aadhaar Act and the regulations made there under make use of the data for the limited purpose for which it was sought in the first instance?

It is important that the data collected under the Aadhaar Act is utilised solely for the fulfilment of the legitimate aim for which it was sought, otherwise, it would taint the idea of free consent. Section 2 (f) (w) and (x) of the Aadhaar Act provides for the definition of benefit, service and subsidy, respectively, and does not specifically stipulates the specifics of such benefit, service and subsidy. Further, the Central Government may notify any advantage, gift, reward, relief, payment, provision etc. to be made conditional on Aadhaar authentication, thereby, over reaching its purpose. In this regard, the Supreme Court explicitly held that the Government cannot take the umbrage under the aforesaid provisions to enlarge the scope of subsidies, services and benefits and specifically laid down the contours of such benefits to be in the nature of welfare schemes for which the resources are to be drawn from the Consolidated Fund of India.

Accordingly, the Court struck down various provisions of the Aadhaar Act and circulars issued by specific Government departments that over reached the basic purpose of Aadhaar. It struck down such portion of S 57 of the Aadhaar Act that allowed the private entities to use Aadhaar for the purposes of authentication and verification and specifically mandated that no private entity shall insist on Aadhaar. The Court also struck down S 33 (2) of the Aadhaar Act that mandated disclosure of the information collected in the interest of national security in pursuance of a direction of an officer not below the rank of the Joint Secretary to the Government of India.

Further, the Court also struck down the amendment to Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 20051 as amended by the Prevention of Money Laundering (Maintenance of Records) Seventh Amendment Rules, 2017 that mandated linking of Aadhaar number with bank accounts. The Court also struck down the Circular dated 23 March 20172 issued by the Department of Telecommunication mandating the linking of Aadhaar with the mobile number for both new and existing subscribers.

However, the Supreme Court noted that S 139AA of the Income Tax Act, 1961 aims to prevent income tax evasion by providing for linkage of Aadhaar number with PAN in order to eliminate duplicate PANs from the system. Therefore, such individuals who have already provided their information to obtain a PAN do not have a legitimate reason for withholding the information/ data required for obtaining Aadhaar on grounds of violation of privacy.

5. Does the UIDAI collect only the limited amount of data that would be sufficient to serve the legitimate State aim?

There are three specific kinds of information or data that is collected under the Aadhaar Act and the regulations there under. Firstly, it collects certain demographic data such as name, date of birth, address, gender and e-mail and mobile number and specifically excludes information pertaining to caste, religion, tribe, medical history, income entitlements etc., thereby upholding the principle of data minimisation.

1 Rule 9 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005, as amended, provides for submission of Aadhaar for purpose of verifying the records pertaining to identity of clients. 2File No. 800-26/ 2016-AS II, available at: http://www.dot.gov.in/sites/default/files/Re- verification%20instructions%2023.03.2017.pdf?download=1 (last accessed on 5 October 2018). Secondly, it collects core biometric information such as fingerprints, iris scan etc. The multiplicity and the combination of such biometric information is required to increase the accuracy of de-duplication and authentication process. The collection of such sensitive personal information is essential to pursue the legitimate state aim and thus qualify the principle of data minimisation

Lastly, the Authentication Regulation allows the UIDAI to collect ‘metadata’ which essentially means the information about the information. This is to say that UIDAI can collect information about the details of all the transaction for which enrolment under Aadhaar is made a pre-condition. Such wide powers of collection and retention of transactional data has the potential to track, profile and create surveillance. The Supreme Court explicitly limited the collection of such metadata to process metadata which is necessary for the purposes of authenticating transactions, troubleshooting, security compliance and improving performance. Thus, the Court directed the amendment to R 26 of Authentication Regulation to specifically restrict the collection of metadata to process metadata.

III. CONCLUSION

The Supreme Court of India addressed several key issues and the following are the key takeaways from the Aadhaar Judgement:

 The Supreme Court watered down the contention that the basic structure of the Aadhaar Act promotes surveillance architect;  The Court addressed overarching provisions of the Aadhaar Act that had the potential of creating disproportionate impact on other rights of the citizens including right to informational privacy as mentioned hereinabove;  It is pertinent to note that there is a stark difference between the majority judgement delivered by the Supreme Court and the minority opinion delivered by Justice Chandrachud; and  Justice Chandrachud asserts that the structure of Aadhaar is unconstitutional on the ground of violating right to informational privacy and that the introduction of the Aadhaar Act as the Money Bill is the fraud on the Constitution.

However, it remains to be seen on how the transition from the Aadhaar Act, as stood prior to the Aadhaar Judgement, to an evolved Aadhaar framework, as discussed in the Aadhaar Judgement, takes effect. Meanwhile, India is bracing up to move towards a new data protection regime as the Draft Bill awaits the review of Ministry of Electronics & Information Technology.