The Supreme Court of India (‘the Court’) issued, on 26 September 2018, its judgment in Writ Petition (Civil) No. 494 of 2012 & connected matters, in which it upheld the constitutional validity of the Aadhaar Targeted Delivery of Financial and Other Subsidies, Benefits and Services Act, 2016 (‘the Aadhaar Act’). In particular, the Court outlined that the Aadhaar Act does not violate citizens’ right to privacy and found that linking Aadhaar was compulsory under Section 139AA of the Income Tax Act, 1961. However, the Court also held that the sharing of data with private entities pursuant to a contract under Section 57 of the Aadhaar Act, was patently unconstitutional.
Supratim Chakraborty, Partner at Khaitan & Co LLP, told DataGuidance, “The ruling on Section 57 of the Aadhaar Act will affect the functioning of businesses in several sectors. Due to a lack of clarity on how the revised section should expressly read, it may be difficult for private entities offering services such as telecommunications, banking and finance to mandate Aadhaar. This could have economic implications as, verifying customer identities as part of the know your customer (‘e-KYC’) system, was significantly costlier and time consuming before the Aadhaar-based authentication came into being.”
In addition, the Court found Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and notifications issued under it, and the Department of Telecommunications, 23 March 2017 circular, mandating the linking to Aadhaar, unconstitutional and outlined that linking Aadhaar was not mandatory for services, including, employee pension, re-verification, mutual fund investments, insurance policies and credit cards.
The judgment recognises that there is need for a proper legislative mechanism for data protection
Chakraborty added, “[For private entities] the mandatory linking of Aadhaar numbers with bank accounts and mobile phone SIM cards has also been held to be unconstitutional. A significant restriction has already been placed on private entities who were using the e-KYC system which involves biometric authentication of the Aadhaar number for onboarding customers. However, the judgment does not provide adequate guidance in cases where the Aadhaar number holder proposes to voluntarily share the same for authentication. In light of the above, it may be advisable for private entities to wait for specific directions and clarifications in this regard.”
In reaching its determination, the Court considered, among other things, whether the Aadhaar Act and surrounding rules provided protection in respect of data minimisation, purpose limitation, data retention, data protection and security. In addition, the Court considered international and national case law, as well as, the parameters of the right to privacy and data protection provisions under the Information Technology Act, 2000 and the Personal Data Protection Bill, 2018 (‘the Bill’) submitted by the Justice B.N. Srikrishna Committee.
Chakraborty concluded, “The constitutionality of the legal provisions guiding Aadhaar have been examined to verify if the same is in violation of the fundamental right to privacy or is a reasonable restriction on the same. The judgment recognises that there is need for a proper legislative mechanism for data protection. In this regard, the judgment notes that the Bill is the first articulation of a data protection law in India, and with some further fine tuning […] a comprehensive data protection regime is not far away.”
CLAUDIA STRUGNELL Privacy Analyst