We’re pleased to bring to you a guest post by Adarsh Ramanujan. Adarsh is an advocate primarily assisting clients as a litigation attorney. He has recently started his own counsel practice with offices in Delhi and Chennai after having spent consideraaadble time with Lakshmikumaran & Sridharan at their New Delhi and Geneva offices. He obtained his B.Sc. LL.B. (Hons.) degree (Gold Medalist) from National Law University, Jodhpur and LL.M. degree from University of California, Berkeley. He is a qualified Patent Agent in India. A major portion of his time is spent, practicing in the areas of IP & Technology Laws as well as in International Trade Law. He was however branched out into doing commercial litigation and arbitration work. His expertise also extends to regulatory laws such as environmental laws, biodiversity laws and cyber laws. Adarsh is currently teaching a seminar course on commercial arbitration in NLU, Delhi and has previously taught patent law in NLU, Jodhpur and at the CEIPI Institute (University of Strasbourg). He has authored or co-authored close to 30 publications on diverse topics, including on IP, WTO, constitutional law and international tax.
Is There a Hidden Indictment of the Aadhaar in the Justice Sri Krishna Committee Report?
The Justice Sri Krishna Committee, while proposing its draft Personal Data Protection Bill 2018, has given specific recommendations for amendments to the Aadhaar Act. Although there is dissenting view on this subject, the Committee has proposed changes to be made to the Aadhaar Act: (i) “for bolstering privacy protections for residents” and (ii) to covert the UIDAI into a regulatory body with the powers of enforcement.
While there is no express indictment of the Aadhaar in the Committee’s Report (given the pendency of the matter before the Supreme Court), this author believes there is a hidden one. Some of the proposed amendments highlight the flaws in the Aadhaar ecosystem that concerns the constitutional right to privacy.
At the top of this author’s list would be the express mandate that the UIDAI be subject to the proposed Data Protection Bill. Given the critical nature of the information controlled by the UIDAI through the Central Identities Data Repository (CIDR), this author’s view is that there should be strict liability imposed on the UIDAI for any data breach, enforceable directly by the affected persons. As is typical of all legislation in this country, currently, no legal proceeding can be initiated against the UIDAI or its members for actions taken in good faith. While there is an obligation on the UIDAI and the persons responsible for protecting the information in CIDR, the UIDAI itself is not accountable for any breach.
The Justice Sri Krishna Committee, however, considers the UIDAI as a data fiduciary (an entity that the purpose and means of processing of personal data), which will be subject to several statutory obligations under the proposed data protection framework. Although even the Draft Bill does not appear to go the extent of imposing strict liability for data breaches of such sensitive data, the UIDAI and persons involved would be held accountable to data security, notification of breaches, data audits and so on. There has even been a recent litigation initiated in the Delhi High Court seeking damages for data leakage. The current lack of accountability of the UIDAI is a vital flaw that needs plugging.
A crucial second proposal is a mandatory split between online and offline verification for verifying the identity of an individual. Online verification involves the collection of the Aadhaar number and biometric information for submission to the Central Identities Data Repository. Offline verification refers to verification of identity without such collection and submission. Examples of the same include the new Virtual ID implemented recently by the UIDAI. The Committee has proposed that online verification must only be limited to instances governed expressly by Parliamentary law or prior-approved public bodies exercising public functions. Private entities are not entitled to collect Aadhaar number or biometric information and can only resort to offline verification methods.
Currently, the Aadhaar Act does not contemplate this split and allows for online verification by a private party, which exponentially increases the chances of leakage of critical personal information. The UIDAI may happily claim that such Offline verification (Virtual ID) is already in place. However, a gaping hole in the legislation that could be plugged (or as easily taken away) through executive fiat and that too, after everyone was forced to share sensitive personal information with private players, cannot be considered as reasonable protection to the constitutional right to privacy. At least, not in this author’s books.
A final point is the amendment proposed by the Committee to Section 29(4) of the Aadhaar Act. The existing provision, though couched in negative language, allows for the Aadhaar number as well as the core biometric information of an individual to be published, displayed or posted publicly for purposes specified in the regulations. The proposed amendment limits this clause only to Aadhaar number, demographic information or photograph, such that the core biometric information is never publishable. The proposal plugs a technical, but a highly relevant, hole in the current law.
These are but a few key points worth considering. Not for an instance is this author suggesting that the proposed amendments are a panacea to the issues plaguing the Aadhaar system – one would let the Supreme Court decide this. Nevertheless, with the Supreme Court’s judgment on the constitutional validity of the Aadhaar system right around the corner, this author firmly believes that one cannot ignore these critical insights from the Justice Sri Krishna Committee Report and the Draft Bill.