Can Aadhaar be saved?

What’s essential for the unique identification number to continue is a strong law. But what should it look like?

A key thrust of the 2012 writ petition filed in the Aadhaar case (Puttaswamy versus Union of India) was that the executive action in implementing Aadhaar was unconstitutional in the absence of a law.

Later developments in the case, including the government’s argument that there is no fundamental right to privacy, and the limitations placed in the use of Aadhaar unique identity numbers in the interim orders, have overshadowed this objection.

Reports from earlier this month indicate the government is considering re-introducing some version of the National Identification Authority of India bill (NIAI bill), with finance minister Arun Jaitley stating that a draft was ready.

The first version of the draft law was rejected by a parliamentary standing committee in 2011, chiefly on the grounds of lack of clarity of purpose, potential for fraud and misuse, and high security risks.

The concerns raised by the committee report, and by the Supreme Court (SC) in its interim orders must be adequately addressed in a new draft for it to pass both parliamentary and judicial assessment.

What’s been wrong with Aadhaar?

It is a daunting task to cull out all the grounds of opposition to Aadhaar, since fears and objections of different shades have been raised. However, three broad strands can be gleaned.

One is that Aadhaar infringes the privacy and personal liberty of the individual. This includes objections to both the collection of biometric data and the uses (yet to be exhaustively specified) that such data could be put to.

The second argument goes that Aadhaar will not address the problems it claims to solve, such as exclusion of the most marginalized communities from basic services. Instead, it will exacerbate them, because Aadhaar numbers are mandatory in fact, notwithstanding government press statements, and many still do not have it.

The third main argument is that the data security framework in place for Aadhaar is inadequate, and the most personal data of 930 million people are at risk.

Not all these concerns can be addressed through law.

If SC holds that the very act of storing the fingerprints of citizens, even with consent, is a violation of privacy (as some petitioners have argued), then the basis for the programme will be lost.

Some of the objections, however, can be addressed through a legal framework which establishes safeguards and limitations, and more importantly, gives adequate recourse to individuals if those safeguards are violated.

The NIAI bill, however, abdicated its responsibility by handing over most of the decision-making power to the Unique Identification Authority of India (UIDAI), the authority in charge of Aadhaar.

A better Aadhaar?

The new bill should not repeat its mistakes. The objections relating to compulsoriness, privacy and data security must be addressed adequately in it to pass muster.

First, on the compulsory use of Aadhaar. The directive that Aadhaar is optional and can only be used on the basis of free and informed consent must bind not only UIDAI but also the government and private institutions that use the service.

Further, it is inadequate to merely state that Aadhaar is consent-based, or even declare it so in law. Effective recourse must be established in case of violations; for example, in the shape of a grievance redressal authority that is sufficiently empowered to take meaningful action.

Second, there has to be greater certainty on the uses that the Aadhaar number can be put to.

UIDAI has stressed on several occasions that it does not store the source of each authentication, and therefore, it is not possible to track the usage of Aadhaar with respect to an individual over a period of time.

This by itself is not sufficient.

Even with this design, authorities other than UIDAI can cause the convergence of databases where the Aadhaar number is seeded, linking databases to get detailed profiles of citizens. If, for example, Aadhaar numbers are provided for a marriage licence, a gas licence, an entrance examination and for registering a lease deed, then linking the information provided to these public service providers using the Aadhaar number as the common factor gives unprecedented levels of information to the state.

This must be made explicitly illegal.

Further, one of the most troubling aspects of the Aadhaar number is the attempts made to use it in criminal investigation. A public example of this was when the high court in Goa ordered UIDAI to share a database with the Central Bureau of Investigation (CBI).

While this was contested by UIDAI and overturned by SC, measures such as these should not be dependent on the inclinations of the executive in charge at the time.

The design of the unique identification number assumes that its usage is open-ended. At the very least, however, no-go areas should be designated in the law.

If the Aadhaar number has been designed for only civilian, not law enforcement or security purposes, the law should say so.

Third, on data security and protection, more needs to be said. While a law should aim to be technology-neutral, requirements such as independent security audits, or preconditions for private contractors entrusted with data belong properly in the bill.

Who watches the watchers?

All of these measures depend on a strong system of oversight and accountability.

Oversight was missing from the NIAI bill, which only contained a provision for an identity review committee.

That committee’s sole function was to write an annual report on the usage of the Aadhaar number. It was appointed by a search committee where two of the three members belonged to the executive wing of government.

This falls considerably short of the standards of oversight. As a result, if a government service provider demands an Aadhaar number before providing a service, in spite of repeated SC orders and UIDAI advertisements, an individual will have no recourse except the courts.

Instead, models akin to the privacy commissioners proposed by the group of experts on privacy, chaired by former judge A.P. Shah, should be adopted in the bill to address non-compliance with the safeguards in the proposed law, unauthorized disclosures as well as security breaches.

A single law cannot address all the fears of surveillance and privacy invasion that have been validly raised in the last few years.

A privacy bill that actually addresses the issues at hand, along with stronger data protection regulations, must be demanded.

But a new NIAI bill is a good place to start.