Technology, legal protection in the form of privacy law needed: Rahul Matthan
As the government makes the use of the Aadhaar unique identity number ubiquitous in the everyday lives of Indians, Rahul Matthan, partner at law firm Trilegal and a Mint columnist, says the issue brings into sharp focus the lack of a privacy law in the country.
Aadhaar is now being mandated for almost all services, from getting a mobile phone connection to filing of income tax returns. Is it legally permissible for the government to do so when the case is still pending before the Supreme Court?
The government can choose to make something mandatory or not. It is the prerogative of the government. The only remedy that you have is challenge it in a court of law. Now, the crux of the case before the Supreme Court is that no one should be denied the benefits (of welfare programmes) due to lack of Aadhaar. This is a more important thing than making Aadhaar a mandatory document for identification. Yes, if you have Aadhaar, then you must use it. If government fails to provide services to people due to the absence of Aadhaar, then it is a problem.
The opposition mentioned in the Rajya Sabha during a recent discussion on Aadhaar that it has become “as good as mandatory”. Is this what the government is doing, and does it have a legal backing?
Right now, the Aadhaar Act doesn’t make Aadhaar mandatory. The Act only specifies details on issuance and usage of Aadhaar. Now, if with reference to the Income Tax Act or the finance bill, the government says that all permanent account number (PAN) cards (used in submission of income tax returns) from now on should be accompanied by Aadhaar; then, the finance bill is making it mandatory. Now, the finance bill has been approved by Lok Sabha, so it does have legal backing for this particular case.
Why are some people are hesitant about adopting Aadhaar?
(Some) 1.13 billion people have already got an Aadhaar (number). So, the remaining people are the ones who are deciding consciously not to get an Aadhaar. But the government is on the path of making it mandatory now. So, the answer would be, yes, Aadhaar can be mandated by passing a law. Earlier, Aadhaar was positioned as non-mandatory, but that was the choice of the government at that point. If such a mandate happens now, we have to see on what grounds the decision for the mandate is incorrect. And the only ground which people are raising is privacy. Government can get access to someone’s biometric information under this and, hence, people might not adopt Aadhaar.
The apex court has said the government can mandate Aadhaar for other non-governmental schemes such as opening of bank accounts; but for government social schemes, Aadhaar adoption should not be pressed. Do you agree with this demarcation?
I don’t think there is any rational demarcation between the two. The idea is that the government should not deny anyone a benefit due to the lack of Aadhaar. Now, with government schemes, there is an obligation on their side to deliver the services. But, again, the question—should it be mandated for all services?
Take the example of PAN. Now it’s not a service. People are voluntarily going to the government and it is a requirement for filing tax returns. In case a person is not able to file tax returns due to non-availability of a document, then he will be penalized. Now, this is unfair to penalize someone who is willing to pay the tax, but does not have PAN. It’s unfair that he is forced to pay a penalty because the government made some changes in an arbitrary manner.
So, the government must give people enough time to get themselves enrolled with PAN. If that person still fails to do so in that stipulated time, then he/she must give an explanation to the government on why he/she hasn’t been able to file returns; then the government can consider it. Now, no one can stand and ask how the government made PAN mandatory. They want a unique tax identification number of a person. For the same reason, the government has made Aadhaar mandatory for filing tax, getting a driving licence, etc. Now, whether making Aadhaar compulsory is an appropriate thing to do is altogether a different thing.
Also Read: Aadhaar: A widening net
Aadhaar has emerged as the world’s largest biometric identification programme. What are the security challenges, given a rise in the number of data breaches?
I can’t comment on that as I don’t have any conclusive evidence in terms of what has been hacked and what is the harm caused in the various data breach cases. I need to look at the exact facts because I still feel it’s an incomplete story. If you are working with an agency which is an Aadhaar authenticator, then you only have access to the machine undertaking transactions involving either the biometric of a person or OTP (one time password) of the transaction. I really don’t understand how the biometric is getting stolen. It’s easier to steal the Aadhaar number though. We need to first get our facts right and then see what’s going wrong.
Do you agree that we should have a comprehensive data security law? What should entail it?
I am a strong believer in having a privacy law. The reason being, we still don’t have all our databases linked today. Yes, Aadhaar is trying to achieve that linkage, but I am still not sure whether it is highly secure or insecure... Since Aadhaar is used more and more, we must have a privacy law. We need to ensure privacy is not violated. With or without Aadhaar, a comprehensive law must be there. Aadhaar is a stimulus for us to get that. Historically, a lot of discussions have happened on what should or should not be there in a privacy law... Let us first take a decision to have a law first, then we can decide what should be there and what not.
Will considering other methods of biometric authentication such as iris and voice recognition help in reducing the number of breaches caused by fingerprints?
Every technology can be misused. You may think that fingerprints are more easier to hack but you can eventually find people who can hack into the other systems such as iris, etc., equally. There is no technological solution to this. We need both technology and legal protection in the form of a privacy law.