By Abhishek Jha:
Need And Legitimacy
It has to be understood first and foremost that the bill per se is a protection from what could possibly go wrong with personal biometric or demographic information being collected. For instance, in 2014, a Goa court had asked the Unique Identification Authority of India (UIDAI) to provide the CBI with biometric information of all residents of the state for probing a rape case. The UIDAI had to petition the Supreme Court to protect its data as, it argued, it had been developed “for civilian use and for non-forensic purposes.” Given that 98 crore individuals have been issued Aadhaar cards by now, there was clearly a need for this legislation.
Section 28(5) of the bill now prohibits the UIDAI or any of its employees or officers as well as those associated with maintaining the Central Identities Data Repository from revealing any information stored in the Repository or authentication record to anyone. Even the number holders cannot have access to their core biometric information (iris scans, fingerprints, etc). This core biometric information can be used only for the purpose of “generation of Aadhaar numbers and authentication under this Act.” Moreover, no identity information, which includes the Aadhaar number, biometric information, and demographic information “can be disclosed further, except with the prior consent of the individual to whom such information relates” according to section 29(3).
Section 33(1) further says that the disclosure of any part of the identity information would require “an order of a court not inferior to that of a District Judge.” However, since this section does not override section 29(3) and also gives the UIDAI the right to be heard in the case, both the individual and the UIDAI can argue before the court. For investigation of a criminal investigation now, as in the case from Goa cited above, data available with the UIDAI cannot be shared with a probe agency for finding, say, a fingerprint match, which would involve unconsenting individuals sharing their core-biometric data.
There is a catch nonetheless. When it comes to national security, none of these provisions protecting identity information hold. The only respite here is that orders of disclosure even in such cases will require “the direction of an officer not below the rank of Joint Secretary to the Government of India” and every direction will “be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect.” Moreover, even if a probe agency were to use this data, they can do so only for a period of three months and take an extension from the Oversight Committee for another three.
Outcome
The other major apprehension about the bill was whether it would make possession of an Aadhaar card mandatory for availing social benefit schemes because that would necessarily require one to submit aforementioned identity information to the UIDAI. Given that 98 crore individuals already have submitted this data, this is, however, a lost battle because the possible infringement of absolute privacy is now, ridiculous as it may seem, codified. Whether or not we avail a social benefit scheme, most of us have already submitted this privacy.
Yet, for the sake of those yet to avail a card or for posterity, the bill’s provisions on the compulsory nature of the UID are important and the bill there is ambiguous. Section 7 first says, for instance, that the government may require one to make an application for enrolment in case the Aadhaar number has not been assigned to an individual availing a social benefit scheme. But immediately after goes on to say that “the individual shall be offered alternate and viable means of identification for delivery of the subsidy.” Hopefully, since this mandatory nature has been a hot topic of discussion and the opposition is worried due to the bill being a Money Bill, this ambiguity, at least, will be addressed in the parliament and the intent of the government will become clearer.
Conclusion
There are further doubts about the misuse of this particular bill. National security, as we have learnt from what this government does and does not think of as anti-national, is a dodgy term. And since the government’s commitment to privacy is suspect, given that recently it argued through the Attorney General in a case relating to Aadhaar itself that privacy isn’t a fundamental right, it is only natural that concerned editorials are being penned.
The bill has also not specified–giving regulatory power to the UIDAI to do so–who the entities maintaining the Data Repository will be. The question then becomes a matter of trust. As has been previously said by some people, whether the entities will abide by the law or, being powerful private entities, flout the conditions they are subject to under this Act remains an area of concern. Worse still, as other people have argued elsewhere, this could be done in connivance with a government that doesn’t care for the privacy of the people.
Exposing a similar collusion and showing how the US government had been lying to the courts had made the whistleblower Edward Snowden flee his own country. But these are problems that will remain with probably any kind of legislation unless we do away with the UID altogether for all people. For those who are yet to get a UID, the Bill in itself would be unjust if it indeed requires mandatory enrolment with the UIDAI.
In conclusion, one can say that it would have been better had there been more public discussion on the framework of the bill prior to its introduction. The government should also not try to pass the bill, just because it can, without paying heed to what the Upper House or those with apprehensions within the Lok Sabha have to say. For the common citizen, privacy was already put at stake when they submitted their identity information to the UIDAI. However, it may be granted that the bill does attempt to address some of the concerns that had arisen about privacy.