Expand Aadhaar only after ‘national security’ is defined. Pavan Duggal on the contentious Bill

Despite the fact that the Aadhaar Bill aims to remove duplicity in the subsidy system and ensure that subsidies reach the right people, there is uncertainty over the fact that the Aadhaar database could be misused.

Union Finance Minister Arun Jaitley, in his Rajya Sabha speech, said that the database will be shared with security agencies on grounds of national security and a court order. Opposition and critics say that privacy of a billion people could be compromised and have warned that agencies could misuse the data in order to profile and target individuals.

Pavan Duggal, an advocate specialising in the field of cyberlaw and e-commerce law, spoke to Catch about the negative and positive aspects of the Aadhaar Bill and the possibilities of a massive breach and surveillance.

Q: What is your assessment of Jairam Ramesh’s statements on the Aadhaar bill?

A: Jairam Ramesh’s statement on Aadhaar Bill represents legitimate concerns. However, the same have not been accepted by Lok Sabha.

The negative implications of Aadhaar Bill being passed as a Money Bill is that Rajya Sabha did not get its legitimate share to state its opinion in the passing of the Bill. All Money Bills, by their intrinsic nature as provided in the Constitutional framework, once passed by Lok Sabha, will be sent to Rajya Sabha, which in turn has 15 days to send the bill back to the Lok Sabha – with or without recommendations. These recommendations, if any, made by the Rajya Sabha are not binding on Lok Sabha – which is free to accept or reject them. As such, it is largely being felt that Aadhaar Bill – which deals with national biometric identification system – has sought to bypass the Rajya Sabha by using the Money Bill nomenclature.

Q: Is this the right time to make the Aadhaar Bill mandatory?

A: No. This is not the appropriate time. The Aadhaar Bill recognises this fact and that is why Section 7 gives the discretion to the Central Government or the State Government that it may for the purpose of establishing identity of an individual, as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom, forming part of the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of the Aadhaar Number.

Further, the provision to Section 7 categorically provides that the Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service. This shows that Aadhaar is not mandatory.

Q: Can the bill lead to mass surveillance?

A: Technically, the Aadhaar Bill could lead to mass surveillance. The biometric database of the complete population will be with the Government. Once the biometric database is available, the same can be disclosed within the parameters of Section 33 in the interest of national security.

The term “national security” has not been defined under the law and the said term is a very elastic term and can be stated in any direction depending upon the peculiar facts and circumstances of each case. Thus, if the Government comes to the conclusion that mass surveillance is in the interest of national security, then in that case under the provisions of the Section 33, disclosure of information including identity information or authentication records can be made in the interest of national security, which could be used for a variety of activities including surveillance, interception, monitoring.

Read more: Opposition condemns ‘bypass’ method used for passing Aadhar Bill in Lok Sabha

Q: The clause 57 of the Aadhaar Bill says that private companies can use the Aadhaar number. Is it a clear indication of exploiting the number for corporate interests?

A: The net effect of Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 is that the private companies and private legal entities can use the Aadhaar Number. This could be done either pursuant to any law for the time being in force or any contract to that effect. This is a clear indication that Aadhaar Number could be exploited by commercial and corporate legal entities for commercial considerations in pursuance of contracts to that effect and for the purposes of serving corporate interests.

Q: Can government prevent mass breach of data? Or guarantee data safety?

A: The Government can prevent mass breach of data provided various steps are taken to protect and preserve the security of the data resident on the biometric database.

The Aadhaar Bill is currently silent as to the kind of security that needs to be put in place. Section 28 only says that the authority shall ensure the security of identity information and authentication records of individuals.

Further, the authority is mandated to adopt appropriate technical and organisational security measures. However, what those appropriate technical and organizational security measures are, is missing in the law.

Further, it is not yet clear as to whether the said appropriate technical and organisational security will be enough to match the minimum standards of reasonable security practices and procedures which are mandated by the Information Technology Act, 2000 and rules and regulations made thereunder. For the purposes of guaranteeing data security and safety, it is imperative that the complete data must be kept in mind while deciding as to what kind of data security regimes processes and procedures will have to be adopted by the authority.

Q: Do you think the use of the Aadhaar Number must be limited?

A: The Aadhaar Number basically refers to an identification number issued to an individual under the new Section 3 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.

Under Section 4, it has been stipulated that an Aadhaar Number may be accepted as proof of identity of Aadhaar Number holder for any purpose. Of particular relevance is Section 4(2) of the said Bill which says that an Aadhaar number shall be a random number and bear no relation to the attributes or identity of the Aadhaar number holder.

In this scenario, the use of the Aadhaar Number has to be taken on a case-by-case basis, after understanding all the legal and policy ramifications of the same.

The only question that arises is about the authenticity of the existing database of the Aadhaar registry. It is common knowledge that Aadhaar was initiated in India by means of an Executive Order.

The Unique Identification Authority of India (UIDAI) is an intermediary under the Information Technology Act, 2000. What kind of due diligence the said intermediary has done – in the context of third party data being biometric data of users – is currently not known.

The Information Technology Act, 2000 has already mandated the exercise of due diligence for entities like UIDAI including them adopting and maintaining reasonable security practices as they handle, deal with or process sensitive personal data including biometric information. It is not yet clear what kind of reasonable security practices have been adopted. As such, we need to recognise the historical legacy in the creation and continued population of the database of the Aadhaar registry. Only when the complete authenticity and veracity of the same has been ensured should the Aadhaar number project expand its wings.

Q: What does the national security law say about sharing personal data with third parties?

A: Section 33 of the Aadhaar Bill overrides the section on security of sensitive data.

According to the said Section, disclosure of information, including identity information or authentication records, can be disclosed in the interests of national security.

This can be done in pursuance to the direction of an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. The first provision to Section 33 states that every direction issued in this regard shall have to be reviewed by an Oversight Committee – consisting of the Cabinet Secretary and the Secretaries of the Government of India in the Department of Legal Affairs and Department of Electronics & Information Technology – before it takes effect.

Further, the second provison states that the directions shall only be valid for a period of three months from the date of its issue which can be further expanded for a period of another three months after the review by the oversight committee.

It is pertinent to note that the Aadhaar Bill is completely silent on what is defined as national security. The term “national security” has not been defined, thus making the aforesaid provision open to a wide interpretation. In the absence of a definition, any and every circumstance could be brought under the purview of national security. The law needs to put in place crystal-clear parameters as to what constitutes national security, when it talks of sharing of personally data with third parties.

Q: Do you think the Aadhaar Bill is moving away from its original concept of avoiding duplicity among subsidy beneficiaries?

A: The Aadhaar Bill is already moving away from its original concept of avoiding duplicity of subsidy beneficiaries. It is one of the bigger platforms and aims to make Aadhaar the basis for electronic governance activities in India.

It aims to make Aadhaar as accepted proof of identity for any purpose and also to make the UIDAI as the statutory authority to perform authentication of Aadhaar Number of an Aadhaar Number holder submitted by the requesting entity, in relation to his biometric information or demographic information.

Thus the Aadhaar Bill goes far beyond the limited scope of just being a concept for avoiding duplicity among payments of subsidy beneficiaries.