Data Protection and Aadhaar

India, since independence, was confronted with three problems: a) reduction of poverty, b) ensuring national security, given the tense relations with neighbors, and c) regulating terrorism finance. To resolve these problems, a solution of a unique, functional, and effective national identification system.[1]

Privacy is a need for every individual and is considered a basic right in domestic and national law. It is an essential prerequisite to the exercise of individual freedom. Its erosion debases the constitutional grounds on which democracy and good governance have conventionally been laid.[2] Article 17 of the International Covenant, Article 8 of the European Convention of Human Rights, Article 12 of the Universal Declaration of Human Rights, and Civil and Political Rights recognize privacy as the right to respect for private and family life, home, and correspondence.

Development of privacy law in India began with the eight-judge bench decision of the Apex Court in M.P. Sharma v Satish Chandra (1954)[3], where the concept of search and seizure was expanded on, “When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a different fundamental right, by some process of strained construction.”[4]

However, the concerns around data privacy arose again, but this time in a large-scale manner, when the government introduced its new biometric identity project, Aadhaar – which ended up being the world’s largest biometric identity database with around 1.2 billion subscribers by 2018. Aadhaar was launched in 2009 with the setting up of the Unique Identification Authority of India (UIDAI) but the first number was rolled out in September 2010 in Tembhli village in the Western state of Maharashtra.[5]

The Unique Identification Authority of India, a government organization, assigns unique identity numbers to people in India that resemble Social Security numbers in the United States. These numbers are referred to as “Aadhaar” in this context. The first Aadhaar number was distributed in 2010 following the Authority’s formal introduction in 2009.[6]

There are no proper regulations in India on safeguards and procedures for the ‘collection, processing, storage, retention, access, disclosure, destruction, and anonymization’ of sensitive personal information by any service provider.[7]

By 2012, numerous legal petitions challenged the constitutional validity of Aadhaar due to its linkage to welfare and other services that would essentially lead to a violation of privacy. In 2018, the Court upheld Aadhaar’s constitutional validity and its requirement for providing welfare to the poor while exempting the scheme’s mandatory linkage from non-welfare services such as banking and mobile phone communications except taxation.[8]

Real-time identity verification made possible by biometric technology and big data processing was believed to have the potential to be the ideal cure for the well-known problems of development. But even individuals who do have the desired identity documents are extremely susceptible to being tricked in multiple ways. Indian nationals have so far proved their identities with a variety of documents, such as driver’s licenses and Below Poverty Level (BPL) cards. Aadhaar was believed to enable the government to reach millions of people who were previously undocumented and excluded from benefit systems.[9] Targeted beneficiaries will receive welfare programs, but on the other hand, their integration with banking systems (by offering direct cash transfers instead of subsidies) will guarantee residents’ and citizens’ financial inclusion in the formal economy.[10]

According to a survey,[11] out of 164 respondents, 27% said that if the Aadhar card is introduced, there is an opportunity to combat corruption. 44% said they thought the government should have unrestricted access to our personal information. 29% of respondents say the Aadhar system facilitates the public distribution system. 58% of respondents believe it is a trust trap that would lead to more regulation and slower economic growth. Only 28.9%  said that the Aadhar card stored in the bank database is secure. 28.3% of respondents agreed the country will be able to reduce the amount of black money if it links Aadhar to a bank. According to 29% of respondents, our personal information is stored on our Aadhar card and is accessible to the government. A little over 31.5% of respondents at random agreed that our personal data will be impacted by government corruption. According to 43% of respondents, there should be strict legislation against data piracy. 39% of respondents are in favor of giving contracts to foreign companies to handle and manage our Aadhar data. Meanwhile, nearly thirty-two percent of respondents concur that the foreign company managing our data poses a threat to the country.[12]

There exist numerous instances where individuals’ lack of awareness leads to security threats. This section’s goal is to talk about these kinds of situations. The UIDAI has recently noticed that several online retailers are charging to print Aadhaar data on 48 plastic cards. Some businesses were fooling customers by charging between Rs. 50 and Rs. 200 and claimed that the plastic card with Aadhaar printed on it was a “smart card.” However, according to UIDAI, “Aadhaar data printed on a normal sheet of paper is enough as proof,” and “there is no such concept as a smart card.”.[13]

As a result, UIDAI warned several online retailers—including Amazon, Flipkart, E-Bay, and others—that it is against the law to charge for printing an Aadhaar card on a plastic card. The Aadhaar Act of 2016 and its Chapter VI, mandates that the Authority take all necessary steps to ensure that the information in its possession or control—including that stored in the Central Identities Data Repository—is secured and protected against access, use, or disclosure that is prohibited by this Act or its regulations, as well as against accidental or intentional destruction, loss, or damage—could result in fines and jail time for the e-commerce companies.[14]

Rather than being used as “proof of address,” Aadhaar has become more and more popular as “proof of identity” (many checkpoints such as protected areas, airports, and trains now accept Aadhaar cards as identification). However, Aadhaar is essentially a plain card with no security features (it only contains a QR (Quick Response) code, not a hologram), making it easily tampered with (after being downloaded from the internet or printed in color via a Xerox). Another weakness in Aadhaar’s security was exposed when an unidentified blogger discussed how simple it is to obtain Aadhaar data by performing a straightforward Google search. This centralized database could be a valuable resource for criminals given the exponential growth of cybercrime.[15]

This could result in the unconsented identification of people or the tracking of them illegally. These documents could also help to provide information about the exact place, time, and circumstances surrounding the services that person used. Furthermore, breaches of the UID database or internal collusion may also reveal private financial information about people or businesses. An instance of a data breach occurred when Axis Bank, Suvidhaa Infoserve, and eMudhra’s Aadhaar payments were momentarily suspended by UIDAI due to unauthorized authentication and impersonation via the illicit storage of Aadhaar biometrics. The UIDAI became aware of this violation when someone used their biometrics to complete nearly 397 transactions between July 14, 2016, and February 19, 2017[16].

Aadhaar project participants “agreed to make Aadhaar Cards for applicants without any proof of identification or address” for fees ranging from Rs. 500 to Rs. 2500, according to a report by an investigative website. Nearly anybody, “whether Indian or an illegal immigrant, can get an Aadhaar Card made without any proof of identity,” according to the website. What’s more, they acquire an Indian identity. Even though there have been multiple reports of these kinds of activities, one that garnered a lot of attention was that of a UIDAI operator in the Mandal area of Bhilwara who attempted to elude the authorities by attempting to obtain an Aadhaar card for the terrorist Osama Bin Laden, who has since been killed. However, the UIDAI was alerted due to the discrepancies in the personal data form and filed a complaint against the operator.[17]

In Justice K.S. Puttaswamy (Retd.) v UOI and Ors, 2015[18] we see the question ‘whether the right to privacy is a fundamental right at all under Part III of the Indian Constitution’. It is noteworthy that cases involving grave privacy implications and violations are being filed in various High Courts throughout the nation, despite the Supreme Court of India casting doubt on the existence and definition of the right to privacy.[19] The Court overturned the M.P. Sharma ruling, holding that the Fourth Amendment did not provide a comprehensive definition of privacy and that the lack of similar protection in the Constitution did not imply the existence of no inherent right to privacy in India.  It held that the right to privacy may be restricted where such invasion meets the three-fold requirement of (a) legality, which postulates the existence of law; (b) need, defined in terms of a legitimate state aim; and (c) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.[20]  Later on Govind vs State Of Madhya Pradesh & Anr. (1975)[21] and Unni Krishnan, J.P. and Ors. Etc. vs State of Andhra Pradesh And Ors. (1993)[22] have recognized one’s enumerated right to personal privacy.

Biometric data is private information that is inextricably linked to a specific person; biometrics, such as fingerprint and iris scans, are immutable, non-reversible, and unchangeable. An individual should have the option to revoke their consent when a body such as the Authority is gathering their biometric data with that person’s knowledge. India needs a comprehensive legal framework for data protection and privacy because it has one of the largest national biometric databases in the world to store all this information and because it has declared privacy to be a fundamental right in its constitution. The legislature, which introduced the Personal Data Protection Bill (PDPB) in 2019, recognized this need, as did the Supreme Court of India. But in August 2022, the government decided to withdraw the PDPB because, after several amendments over the previous few years, it had become too complex.[23]

Enforcing data protection laws and the fundamental rights of individuals to be forgotten and erased, in conjunction with necessity and consent, to the Authority is a critical step that could boost public confidence in the Aadhaar system and instill a sense of security. The future of data governance in the digital age depends critically on having solid foundations for data protection, privacy, and security that would shield people from the government and any potential government intrusion into their privacy, particularly as India moves closer to the government’s Digital India goal.

Reference(s):

Banerjee, S. (2016). Aadhaar: Digital inclusion and public services in India. World Development Report, 81-92.

Bhandari, V., & Sane, R. (2016). Towards a Privacy Framework for India in the Age of the Internet.

Chaudhuri, B., & König, L. (2018). The Aadhaar scheme: a cornerstone of a new citizenship regime in India? Contemporary South Asia, 26(2), 127-142.

Dembi, D. (2021). Privacy & National Security: A Balancing Act? Available at SSRN 3953357.

Gyanchandani, V. (2020). A balanced approach to privacy for Aadhaar: between privacy & convenience. Available at SSRN 3896879.

Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2023). Retrieved October 26, 2023, from Ccgnlud.org website: https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india ors#:~:text=Case%20Brief&text=The%20nine%20Judge%20Bench%20in,of%20dignity%2C%20autonomy%20and%20liberty.

Madan, H. K. S. D. S. (2020) A Study On Aadhar Privacy And Personal Security Issues In India.

M.P. Sharma v Satish Chandra (1954) 1 SCR 1077

Raju, R. S., Singh, S., & Khatter, K. (2017). Aadhaar card: challenges and impact on digital transformation. arXiv preprint arXiv:1708.05117.

Rao, U., & Nair, V. (2019). Aadhaar: governing with biometrics. South Asia: Journal of South Asian Studies, 42(3), 469-481.

Singh, P. (2021). Aadhaar and data privacy: biometric identification and anxieties of recognition in India. Information, Communication & Society, 24(7), 978-993.

Tyagi, A. K., Rekha, G., & Sreenath, N. (2018, December). Is your privacy safe with Aadhaar?: an open discussion. In 2018 Fifth International Conference on Parallel, Distributed and Grid Computing (PDGC) (pp. 318-323). IEEE.

Yalavarthy, A. S. (2023). Aadhaar: India’s National Identification System and Consent-Based Privacy Rights. Vand. J. Transnat’l L., 56, 619.

[1] Gyanchandani, V. (2020). A balanced approach to privacy for Aadhaar: between privacy & convenience. Available at SSRN 3896879.

[2] Dembi, D. (2021). Privacy & National Security: A Balancing Act?. Available at SSRN 3953357.

[3] M.P. Sharma v Satish Chandra (1954) 1 SCR 1077

[4] Bhandari, V., & Sane, R. (2016). Towards a Privacy Framework for India in the Age of the Internet.

[5]Singh, P. (2021). Aadhaar and data privacy: biometric identification and anxieties of recognition in India. Information, Communication & Society, 24(7), 978-993.

[6] Yalavarthy, A. S. (2023). Aadhaar: India’s National Identification System and Consent-Based Privacy Rights. Vand. J. Transnat’l L., 56, 619.

[7] Banerjee, S. (2016). Aadhaar: Digital inclusion and public services in India. World Development Report, 81-92.

[8] Ibid.

[9] Rao, U., & Nair, V. (2019). Aadhaar: governing with biometrics. South Asia: Journal of South Asian Studies, 42(3), 469-481.

[10] Chaudhuri, B., & König, L. (2018). The Aadhaar scheme: a cornerstone of a new citizenship regime in India?. Contemporary South Asia, 26(2), 127-142.

[11] Madan, H. K. S. D. S. (2020) A Study On Aadhar Privacy And Personal Security Issues In India.

[12] Ibid.

[13] Raju, R. S., Singh, S., & Khatter, K. (2017). Aadhaar card: challenges and impact on digital transformation. arXiv preprint arXiv:1708.05117.

[14] Ibid.

[15] Tyagi, A. K., Rekha, G., & Sreenath, N. (2018, December). Is your privacy safe with Aadhaar?: an open discussion. In 2018 Fifth International Conference on Parallel, Distributed and Grid Computing (PDGC) (pp. 318-323). IEEE.

[16] Ibid.

[17] Ibid.

[18] Justice K.S. Puttaswamy (Retd.) v UOI and Ors (2017) 10 SCC 1

[19] Bhandari, V., & Sane, R. (2016). Towards a Privacy Framework for India in the Age of the Internet.

[20] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2023). Retrieved October 26, 2023, from Ccgnlud.org website: https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india ors#:~:text=Case%20Brief&text=The%20nine%20Judge%20Bench%20in,of%20dignity%2C%20autonomy%20and%20liberty.

[21] Govinda v. State of U.P., [1975] 3 SCR 946

[22] Unni Krishnan, J.P. And Ors. Etc. vs State Of Andhra Pradesh And Ors.,(1993) SCR (1) 594

[23] Yalavarthy, A. S. (2023). Aadhaar: India’s National Identification System and Consent-Based Privacy Rights. Vand. J. Transnat’l L., 56, 619.