The lower chamber of the Indian Parliament, Lok Sabha passed, on 4 January 2019, the Aadhaar and Other Laws (Amendment) Bill, 2018 (‘the Bill’). In particular, the Bill follows the Supreme Court’s ruling on 26 September 2018, in which it upheld the constitutional validity of the Aadhaar (Target Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘the Aadhaar Act’) and aims to amend the Aadhaar Act, the Indian Telegraph Act, 1885 and the Prevention of Money-laundering Act, 2002.
Mathew Chacko and Aadya Misra, Partner and Associate respectively at Spice Route Legal, told DataGuidance, ”The introduction of the Bill, without the usual pre-legislative processes such as public consultations and referrals to an appropriate parliamentary committee, [has received] sharp criticism. The Aadhaar Act is now part of the fabric for multiple businesses and life without it is very difficult. The fear is that the Bill may not have been as well-considered as the Constitution requires it to be and the real issue here is the lack of a data protection bill in India. While a draft law was submitted, it has not been approved by Parliament. Considering that certain provisions of the Aadhaar Act were struck down on grounds of privacy concerns, one wonders whether the Bill will pass the test of constitutionality.”
The Bill outlines that the Aadhar Act, in its present form, does not empower the Unique Identification Authority of India (‘UIDAI’) to take enforcement action against errant entities in the Aadhaar ecosystem. However, the Bill allows entities to perform authentication services, provided they comply with privacy and security standards introduced through the regulations, therefore enhancing the powers of the UIDAI and allowing it to issue directions.
The Bill widens the scope of those allowed to use Aadhaar authentication services to include private entities
Chacko and Misra, noted, ”The Bill widens the scope of those allowed to use Aadhaar authentication services to include private entities, as opposed to just governmental agencies, in line with the Supreme Court’s verdict in the Aadhaar case. In addition, it introduces civil penalties and increases the threshold of existing criminal punishments, which when combined with the potential penalties that may be imposed under the data protection law, makes the probable liability for entities high.”
In addition, the Bill permits children to opt-out of the Aadhaar system after reaching the age of 18 years old, and outlines the procedure for offline verification of an Aadhar authentication number. The procedure states that before performing offline verification, consent must be obtained and that for those under 18, no offline verification seeking entity shall collect, use or store an Aadhaar number or biometric information of any individual for any purpose. Furthermore, the Bill introduces the voluntary use of Aadhaar details as an authentication option, which is now available to banks and telecom providers.
Chacko and Misra, concluded, ”Whilst this is a voluntary authentication option, and services cannot be denied to users for not using Aadhaar authentication, existing modes of identity verification for banks and telecom service providers include passports or other modes notified by the government. The inclusion of Aadhar authentication as an identification method appears to be an active push of private entities into the Aadhaar network. The Bill goes a step further than the Aadhar Act and requires such entities to provide the purposes for the use of the information in writing to individuals, in clear and precise language […] However, the Bill does not address the rights of individuals to prohibit their information being used for specific purposes, thereby making the whole informational purposes slightly murky. Generally, we find this consent-centric approach inconsistent with modern privacy and data protection.”
CHRISTOPHER CAMPBELL Junior Privacy Analyst