In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.
Attorney General K. K. Venugopal submitted the responses by the CEO of Unique Identification Authority of India (UIDAI) to the questions submitted by the petitioners.
Mr. Venugopal read out the questions and answers.
In the first question, the petitioners requested for the figures of authentication failures both at the national and state levels along with a breakup of iris and fingerprints. Mr. Pandey responded that he can not provide the figures at the state level as the UIDAI does not know where the authentication request comes from. However he provided the figures at the national level but specified that a failure does not automatically indicate exclusion or denial of services as the requesting entities are required under law to provide exception handling mechanisms.
Next question dealt with enrollment and authentication processes of a person who is claiming biometric exception and has not provided a mobile number or is currently using a different number. Mr. Pandey responded that in case of persons who are unable to provide biometrics their iris authentication can be used for updating information including mobile number. He pointed out that this was the reason for incorporating multi model enrolment and authentication process in Aadhaar. He mentioned that authentication through mobile number is used as one of the methods in those exceptional scenarios where both iris and fingerprint authentication are impossible and further stated that if mobile number authentication is also not possible, the requesting entities are required to provide their own exception and back up mechanism to ensure delivery of services to Aadhaar holders. He also mentioned that the digitally signed QR code has been implemented to verify Aadhaar card in an offline manner.
S.5 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and Reg.6 of the Aadhaar (Enrollment And Update) Regulations 2016, and Reg.14(i) of the Aadhaar (Authentication) Regulations 2016, were cited as the provisions addressing this issue.
Next question addressed the issue of requirement of parental consent with respect to the enrollment of children between the age of 5 and 15. Mr. Pandey responded that school officials, if permitted, can act as introducer and enroll the students, provided there is parental consent.
In the following question, the petitioners asked if it would be possible for the child to revoke his consent once he attains the age of 18 years. Mr. Pandey responded that it is not permissible under the Aadhaar Act, but that they have the option of permanently locking their biometrics and unlocking it only when required for biometric authentication.
Next question addressed the issue of enrolment done by blacklisted enrolment operators. Mr. Pandey answered that all enrollments that are contrary to the UIDAI process is rejected and the residents are requested to re-enroll.
In the next question, the petitioners asked for the figures of biometric de-duplication rejections that have taken place till date. They also queried regarding the status of the data packets containing stored information upon rejection of enrollments either on grounds of duplications or other technical reasons. Mr. Pandey responded that the total number of biometric de-duplication rejections till March 21, 2018 is 6.91 crore. He specifically stated that the figure pertains only to applications identified as having matching biometrics to an existing Aadhaar holder. He further stated that it is highly improbable that all biometrics (ten finger sand two irises) match unless the same person has applied again. He mentioned that the figure does not indicate that there is an equivalent number of people who have been rejected Aadhaar and pointed out that none of the de-duplication rejects have filed complaints regarding denial of Aadhaar number. He said this indicates that genuine residents have re-enrolled themselves and the rest are the ones who are trying to overreach the Aadhaar system though fraudulent means. He also stated that all the data packets are archived in the Central Identities Data Repository (CIDR) irrespective of whether it was accepted or rejected.
Next question addressed the term “any other appropriate response” under s. 8(4) of the Act. Mr. Pandey responded that it includes e-KYC and limited e-KYC data.
In the subsequent question, the petitioners asked if any UIDAI official verifies the correctness of the documents submitted during enrolment. Mr. Pandey responded that the Registrar is entrusted with the duty of verification of documents and mentioned that the Registrar/enrollment agency have to appoint personnel for the same.
Next question dealt with the probabilistic nature of the biometrics. Mr. Pandey stated that biometric authentication is always performed as 1:1 biometric match against his/her Aadhaar number and therefore it is not probabilistic. He also mentioned the exception processes that are implemented to ensure that no Aadhaar holder is denied service due to failure of authentication. He mentioned that these exception processes can be used in case of senior citizens whose biometrics have changed.
Next question addressed the issue of blacklisting of enrollment operators. Mr. Pandey pointed out that they can be blacklisted on the following grounds: a) illegally charging Aadhaar enrollment, b) poor demographic data quality, c) invalid biometric exceptions, and d) other process malpractice.
In the following question, the petitioners enquired if the point of service (POS) biometric readers are capable of storing biometric information. Mr. Pandey stated that UIDAI has mandated the use of Registered Device (RD) for all authentication requests and that it encrypts the information and therefore rules out the possibility of use of the stored biometric information. He further stated that Reg.17(1)(a) of Aadhaar (Authentication) Regulations, 2016 makes it unlawful for requesting entities to store biometrics captured during authentication.
In the next question, the petitioners asked if authentication user/ service agencies record the date, time, and purpose of authentication, the device ID and the client IP. Mr. Pandey responded that the UIDAI does not request these entities to collect any of these information. However he mentioned that authentication user agencies such as banks may store such additional information under their respective laws to secure their systems. He further mentioned that Reg.18 of Aadhaar (Authentication) Regulations, 2016 stipulates the information that is to be collected by the requesting entities and that only such information will be audited by the UIDAI even if the requesting entity collects additional information.
In the final question, the petitioners asked if the UIDAI can trace the specific device and location from which authentication takes place. Mr, Pandey responded that the UIDAI does not get information regarding the IP addressor GPS location and that it only knows the device through which the authentication has happened. He specifically mentioned that the UIDAI does not know the location at which the authentication device is deployed.
Next, Mr. Venugopal stated that Aadhaar is an evolving technology and that all other alternatives including the use of smart cards were investigated previously. He further stated that if there are defects in the Act it could be rectified. He reiterated that Aadhaar project has received wide scale appreciation including from the UN and the World Bank. He stressed that it is a unique identity that can be used for all purposes.
He further stated that Aadhaar is a policy decision by the government and therefore courts cannot interfere in it.
Next, referring to Justice K. S. Puttuswamy & Anr. v. UoI and Ors, Mr. Venugopal submitted that Aadhaar satisfies all the conditions laid down in the case for legitimate invasion of privacy. He submitted that there is a legislation, legitimate state interest and a reasonable nexus between the means used and the objects sought to be achieved. He further submitted that if a law is valid and constitutional but its implementation is unlawful, the law couldn’t be struck down as unconstitutional merely on that ground. He stated that tremendous effort has been made to ensure that invasion of privacy by the Aadhaar project is as minimal as possible and that the law could not have been structured in a better manner to have a lesser impact on privacy.
Next, he referred to Justice Chandrachud’s judgment in Puttuswamy discussing Srikrishna Committee’s report on data privacy. He stated that whatever more has to be done to ensure data protection would be addressed by the Committee and pointed out that Mr. Pandey is also on the committee.
Next, he submitted that according to Justice Chalmeshwar’s and Justice Bobde’s opinions in Puttuswamy judgment privacy is not an absolute right and can be invaded by laws that satisfy the just, fair, and reasonable standard. He cited the Right to Information Act as an example for a reasonable restriction on the right to privacy in light of public interest.
Mr. Venugopal then applied the privacy judgment to Aadhaar. He reiterated that as per the judgment, privacy is not an absolute right and referred to the three conditions laid down in Justice Chandrachud’s judgment that would legitimize the invasion of privacy. He submitted that Aadhaar satisfies all the three conditions- existence of aw, legitimate state interest, and proportionality.
He stated that the Aadhaar Act is a just, fair and reasonable law as it only results in minimal invasion of privacy. He further stated that it is passed in pursuance of a larger public interest including prevention of dissipation of social welfare benefits, black money, money laundering, income tax fraud, and terrorism. He submitted that the judiciary cannot question the value judgment of the legislature and that all of the aforementioned are legitimate state interests. He also argued that the right to live a life with dignity trumps the right to privacy and pointed out that subsidies under s.7 of the Act are integral to live a dignified life.
Mr. Venugopal reiterated that before the Act came into existence, Aadhaar enrollment was voluntary and therefore there is no question of violation of rights. He further argued that before the Puttuswamy judgment, neither the government nor the people knew about the right to privacy. However Justice Chandrachud and Justice Bhushan objected to this. Mr. Venugopal argued that before the judgment, the government could not have assumed that right to privacy is a fundamental right. Justice Chandrachud pointed out that the Puttuswamy declared all the judgments prior to it that upheld the right to privacy as correct. Mr. Venugopal, however, argued that those judgments were per incuriam as there were larger benches that held to the contrary. CJI did not agree with this argument.
The hearing will continue on April 4, 2018.