When the National Democratic Alliance (NDA) introduced the Aadhaar Bill in Parliament late last week, it looked like the government was trying to latch the stable door a few years after the horse had bolted. This is 2016. We are approaching the one billion-mark in number of Aadhaar cards issued. Passing an enabling legislation now is a bit like planning a coronation to celebrate the diamond jubilee of the Queen.
Much of the opposition to Aadhaar comes from the massive amounts of sensitive personal information that has been collected. These apprehensions are exacerbated by the casual and porous approach that the government has to inter-departmental data transfer—a fear that was brought into sharp focus when it took the full might of the Supreme Court to stop the Central Bureau of Investigation (CBI) from accessing the Aadhaar fingerprint database.
This is why we need an Aadhaar legislation—to establish boundaries within which the identity database will function and clearly cordon it off from government over-reach. In many ways, it is far more important to have a legislation today, as the project enters the implementation phase, than when the project was conceived.
I have worked with the government on drafting a privacy legislation and my expectations of the Aadhaar Bill were low. The government hates absolutes, and I was resigned to finding privacy provisions riddled with exceptions. I was pleasantly surprised to find only a few. I will go so far as to say that the Aadhaar Bill, if it passes in its current form, will impose some of the strongest fetters on government over-reach, of any legislation in the country.
The best example of this is in the protection afforded to core biometric information—a subset of biometric information that includes the fingerprints and iris scans and forms the foundation of Aadhaar’s authentication mechanism. Under Section 29, core biometric information cannot be shared with anyone for any reason whatsoever. The section makes it clear, in language that brooks no exception, that this information cannot be used for any purpose other than the generation of Aadhaar numbers and authentication of Aadhaar number holders.
There are many examples throughout the bill where core biometric information has been ring-fenced in this manner. For instance, Section 8, which deals with authentication, states that the response to an authentication query must exclude core biometric information. Perhaps the most extreme manifestation of this is in the proviso to Section 28 (5), which prevents the Aadhaar number holder from accessing his own core biometric information in the Central Identities Data Repository (CIDR).
The other pleasant surprise is the manner in which classic privacy principles of notice, consent and purpose limitation have been liberally sprinkled throughout the statute. Enrolment officers have to inform individuals seeking enrolment how their information will be used, who it will be shared with and what access rights they have. Requesting entities must obtain consent before collecting information for authentication and provide details of the information that will be shared and the alternatives available if the individual doesn’t want to submit identity information.
There is an entire provision (Section 28) devoted to the protection of information. This is yet another example of a provision that has been framed in the absolute—prohibiting the authority from revealing any information stored in the CIDR.
It would have been too much to ask for the legislation to have been completely devoid of exceptions—Section 33 allows for judicial and executive exceptions to the absolute prohibition against disclosure of information. It states that the protections of Sections 28 and 29 will not apply against the order of a district judge (or higher). Similarly, the protections under Sections 28 and 29 can be over-ridden by directions issued by an officer above the rank of joint secretary, in the interests of national security. Any such direction must be reviewed by an oversight committee before it takes effect.
This is not a legislation without flaws. There is a lot that’s left to be clarified through delegated legislation, and if there is one thing experience has taught us, it is that the devil is in the detail. One particularly disappointing provision is Section 29(4), which seems to allow core biometric information to be made public for purposes specified in the regulations—contrary to the manner in which it has otherwise been ring-fenced.
In the balance, this is a good legislation, filled with the kind of stiff backbone needed in a law that will form the basis for the digitization of government services. I have apprehensions about how it will be implemented, whether in practice, the privacy protections of consent, notice and purpose limitation will be given effect to. Or whether the national security exception will be misused. But given the absolutes in the drafting, it’s likely that the courts will make short work of any transgressions.
Rahul Matthan is partner in the Technology, Media and Telecom (TMT) group at Trilegal.