By: Digvijay Chaudhary

During the proceedings of the Aadhaar Act (hereinafter ‘the act’), Chandrachud, J. remarked that surveillance is not necessarily the argument that has to be answered by the respondents (State) and other areas of concern in the act need to be identified such as the use of the Aadhaar platform by private entities. This brings to our next concern; the use of Aadhaar platform by private entities. We must understand how closely both these issues are inter-linked; the use of Aadhaar by private entities facilitates profiling and surveillance. The question of private entities being involved arises from two sections in the act: Section 10 and Section 57, both have been reproduced below:

Section 10: “The Authority may engage one or more entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations“.

Section 57: “Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or anybody corporate or person, pursuant to any law, for the time being in force, or any contract to this effect: Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI”.

Section 8 speaks about the Authentication of Aadhaar number and Chapter VI speaks about Protection of Information and enlists the obligation of security and confidentiality to be followed by the authority to protect the information.

Section 10 introduces and allows private entities to establish and maintain the Central Identities Data Repository (hereinafter ‘CIDR’); this enables the entities to access data stored in the CIDR. There are no clear standards regarding this potential access that the private entities may allow themselves to be involved in. This may turn out to be the weakest link when it comes to the security and privacy. It is important to understand the sensitivity of the data that the authority is dealing with because it cannot be duplicated again as it is capturing the human biometric which cannot be changed if compromised.

There are counter-arguments to this too; private entities such as Google are already being provided with an individual’s data and real-time location.  The crux here is consent. The users grant their consent to Google to track them using GPS. However, the tracking of an individual without his/her consent is a violation of Article 13. When it comes to surveillance without the individual’s consent, either by the State or Private entities, both are illegal in law and fall foul of part IV of the constitution. Another difference between the collection of data by private entities and the state is that consent is given to private entities for specific purposes such as accessing GPS. Whereas, in the present case, consent is given to the State for the targeted delivery of subsidies, benefits and services. Here it seems that targeted delivery of subsidies, benefits and services is a blanket aim to hide ulterior motives of the State; unauthorised use of data by itself and private entities including to facilitate surveillance and profiling. To what extent can the State seek information (State interest and proportionality) and to what extent should private entities be provided with this information? The very presence of private entities takes away State interest and proportionality.

It’ll be interesting to mention that before the recent debacle of UIDAI’s chairperson on twitter, and the UIDAI issuing warnings to not let loose of the Aadhaar number of an individual, Mr. Shyam Divan raised an argument in the court. He stated that non-state actors could ask for people’s Aadhaar number and as a result, acquire their demographic information. It was enquired further by Sikri, J. that whether an employer will obtain an individual’s private data upon taking his/her Aadhaar number since the Aadhaar number would only be used for the purpose of identification? Chandrachud, J. stated that biometric data is stored in the CIDR and all the individual would be required to give is his Aadhaar number. To this, Mr. Divan responded that the giving of the Aadhaar Number to several entities will compromise an individual when the number is combined with the other information available. This exposes an individual and would enable the state to track him/her.

This statement is necessary, as it shows that the fears of implementation of the Aadhaar project including collection and storage of information are being realised now, so much so that the chairperson of UIDAI, (after having challenged for the misuse of his Aadhaar by just his Aadhaar number) was forced to issue warning through UIDAI to never disclose the Aadhaar number. Involvement of private entities is not limited to the above 2 sections. Below are some provisions which facilitate the involvement of private entities:

Section 2(l): “enrolling agency” means an agency appointed by the Authority or a Registrar, as the case may be, for collecting demographic and biometric information of individuals under this Act;

Section 2(u): “requesting entity” means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication;

Section 23(3): The Authority may,— (a) enter into Memorandum of Understanding or agreement, as the case may be, with the Central Government or State Governments or Union territories or other agencies for the purpose of performing any of the functions in relation to collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) by notification, appoint such number of Registrars, engage and authorise such agencies to collect, store, secure, process information or do authentication or perform such other functions in relation thereto, as may be necessary for the purposes of this Act.

The dangers of data being in the hand of private entities (to whom consent has not been given) are much more than they seem. From digital profiling to qualifying as unfair trade practices, infringing the privacy of individuals to dissemination of data to foreign entities, the individual is no longer in control of his/her data. What use/misuse it might be put to and what dark rooms it may touch are unknown and with crimes such as cyberbullying, data theft coupled with the ‘digitalisation’ of India, these dangers and fear can no longer take the back seat. Knowledge is power in today’s world and we are aware of Snowden’s revelation about the extent of mass surveillance that had been going in the US. It is high time that we grow concerns and protect information about ourselves because data might be the most prized possession today.

Data compromise happened in Germany, it happened in the United States, despite promises of data confidentiality from those governments. Comparing India directly with other countries may not be very correct, but India has nothing that assures its residents that what happened in Germany and the United States will not be repeated here. With weak data protection and privacy laws coupled with security threats and illegal immigration, it seems highly improbable that such a data compromise would not happen in India.

The real challenge for UIDAI is how fast can it take corrective action to ensure that the affected citizen does not suffer in proving his/her identity? Identity thefts will continue to happen, even if best of security is deployed. But, we should build a system that is resilient enough to correct itself at a fast pace and one that ensures that end users do not suffer owing to someone’s mischief. Here the trouble is with the act’s central design, which vests in the UIDAI a conflicting dual responsibility: to act both as the custodian of all the information that it collects and to act as a regulator of the Aadhaar database.

This means that any breach made to the data that is centrally amassed, unless exposed, will only be known to the UIDAI. It will then be for the UIDAI to decide how it wants to remedy such intrusions. As a result, when our Aadhaar data is leaked, we will be left with no recourse to an effective remedy. This is evident from section 6 which places the responsibility of update and accuracy of biometric information on the individual. How is a person supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same? It is interesting to note that the VDR Act provides only for a request to the BINKS for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the BINKS to refuse to grant access to the information once a request has been made.

The use of mass surveillance threatens the very nature of a democratic and fair society. The very act of constantly being monitored has profound impacts on how a society, and individuals, operates. Communications surveillance should be regarded as a highly intrusive act that potentially interferes with the rights to freedom of expression and privacy and threatens the foundations of a democratic society. How can a society that is continually and systematically monitored feel free to speak openly? There are credible indications to suggest that digital technologies have been used to gather information that has then led to torture and other ill-treatment.

The use of the Aadhaar platform by private entities is a much graver concern as it might be regarded as the authorisation of mass surveillance by private entities and further sharing of such information with foreign entities. This disregards the defence of national security that the government has subsequently undertaken to justify the overreaching powers that the act grants to the government.

(Digvijay is currently a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.)