The Aadhaar Act’s a done deal. What next?

More clarity is needed on the extent and scope of commercial utilisation of the world’s largest human database

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill 2016 was passed by the Lok Sabha as a money bill. Simultaneously, the Government withdrew the National Identification Authority of India Bill languishing in Parliament since 2010.

This transition is significant, for it establishes the primary purpose of Aadhaar as not to get individuals an identity document per se, but as a financial identifier for error-free benefit transfers of expenditures covered by the Consolidated Fund of India (CFI), to rightful beneficiaries. With this, the Government has got the right to use Aadhaar enrolment as a means to deliver and track benefits.

Over a billion Aadhaar cards have been issued, digital seeding of beneficiary names with Aadhaar numbers and nominated bank accounts is well under way for over 30 central DBT schemes, and a bank-led agent-assisted payments network is being set up nationwide.

The Aadhaar piece is the kingpin, the traceable identifier that authenticates every beneficiary and credits benefits or any rightful payments into a designated Aadhaar-linked bank account. Aadhaar’s principal differentiator is biometric authentication to establish whether you are who you claim to be, and identical twins have differentiating biometrics. Thus, Aadhaar constitutes a ‘governance tool’ for the provision of public services.

However, opportunities exist for other actors — full service banks and payment banks, even merchants — to offer services built upon Aadhaar-authentication. The ready and licensed accessibility of a unitary, verified database can save huge KYC costs for individual service providers.

Greater common good?

It is important to establish whether the Aadhaar repository is a broader ‘public good’ accessible to all, like a national highway, or is it to remain an exclusive ‘e-governance’ enabler of the Government. This has implications not only for state agencies, but also for the huge digital payments market opportunity that awaits India.

The Aadhaar Act is formulated specifically for expenditures covered under the CFI. Thus, its extension to benefits transfers by State governments is not automatic. To derive its full benefit, there is need to introduce mirroring State-level legislation for expenditures not covered by the CFI.

More clarity is needed on the extent and scope of commercial utilisation of the UID database, especially sharing or licensing of the information to private parties. These opportunities are not explicit in the Act, although the concept of a Requesting Entity and Aadhaar User Agency are introduced.

Will the Aadhaar User Agreements be universally accessible to service providers? For what types of financial and non-financial services? Under what conditions and safeguards? Widening Aadhaar’s scope also brings to the fore appropriate concerns relating to personal rights, data security and related accountabilities in respect of the security of the world’s largest human database. Some stakeholders have questioned whether the world’s largest human database is secure, robust and hack-proof enough. Technical experts defend that sufficient safeguards are in place, including 2048-bit encryption, distributed and redundant storage.

The Government, particularly UIDAI, needs to: (a) allay the general concerns partly rooted in insufficient knowledge; (b) demonstrate the safeguards already addressed in the system architecture; and (c) use appropriate best-in-class technology to maintain the integrity of the database.

Repository of faith

The primary custodianship of the identity information is with the UIDAI. Even though all persons with licensed access to Aadhaar-related information are liable to keep it secure and confidential, the penalties are meagre in relation to the potential misuse. The ₹10,000-fine (1 lakh for a company) is much more dilute than under the Information Technology Act 2000, which prescribes for a transacting party compensation up to ₹5 crore for mishandling ‘sensitive personal data’.

It is imperative to affix unambiguous responsibilities for the integrity and security of the database and build appropriately strong deterrents and penalties for breach and unauthorised usage. The UIDAI’s external liabilities are not clarified in the Act but these would need to be appropriate to the potential impact from misuse.

At a minimum, there should be principles of liability cover and procedures in line with the banking and finance sector because enrolment is at the State’s behest. In essence, Aadhaar authentication is concerned with validating an individual. To what extent does non-biometric information exchanged constitute sensitive, personal information proprietary to the person, more than already available forms such as PAN card, credit card, driver licence, electoral lists, etc.?

What are the limits (one-time or cart blanche) to the prior consent for use of the identity information? Who owns the customer data? Can an individual opt out and ask for complete withdrawal and erasure of the information given? All these questions go beyond Aadhaar and can be settled only under a privacy law to which the Government should accord high priority in the parliamentary process.

Hopefully, the procedural rules under the Act will address and clarify these issues.