SC Constitution Bench on Aadhaar- Final Hearing (Day XXV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal resumed his arguments for the state. He continued to refer to judgments that upheld the collection of biometric information. He discussed the decision of the US Court of Appeals, which dealt with DNA and forensic identification of prisoners. The CJI pointed out that the case only dealt with a narrow group of offenders and therefore might not be applicable to the context of Aadhaar. The AG responded that the reasoning of the court is relevant as it upheld the legislation on the grounds that it cannot be struck down on the basis of mere possibility of misuse in the future and that if the provision is later amended it will be dealt with in the future.

Justice Chandrachud responded the issue here is not that of misuse but of the use of law as s.2(g) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) can expand the scope of ‘biometric information’. He further mentioned such power vested in an administrative authority might not meet the proportionality requirement. The AG responded it is an issue of excessive delegation and that he would address it.

He next referred to a Fordham Law Journal article on automated finger imaging and the right to privacy explaining how the former does not result in a violation of the latter. Referring to the article, he stated finger imaging is 99.9 percent accurate.

He submitted biometrics is a tool for very accurate conclusion as it prevents fraud and other violations such as tax evasion, money laundering. However Justice Sikri replied fraud is not because of multiple identities. The AG responded if there is Aadhaar, there would be no question of multiple identities. Justice Chandrachud pointed out Aadhaar would not prevent a person from setting up multiple layers of commercial entities controlled by the same individual and therefore would not contribute towards preventing bank frauds.

Justice Chandrachud further stated that even if Aadhaar satisfies the legitimacy of interests, the crux of the issue deals with proportionality. He asked how far could the state cast the net. He pointed out that under s.7 of the Act, the state can rely on legitimate state interest i.e. ensuring that the benefits go to the deserving people but the issue is with respect to those areas which are unrelated to the areas stipulated under s.7.

The AG responded that the government has to compare to 1.2 billion names to avoid de duplication and identify the right person. He asked how far does the casting of the net to areas other than the ones mentioned in S.7 of the Act result in a violation of the right to privacy.

Justice Sikri stated the requirement to tabulate each and every activity involving money, irrespective of whether it’s linked to s.7, through authentication might not satisfy the requirement of proportionality. He cited the example of linking mobile number with Aadhaar and said one can say it’s related to money laundering but considering everyone to be a possible violator is violation of proportionality.

The AG responded that terrorists communicate to each other secretly through cell phones and pointed out the example of internet shut down in Kashmir. However Justice Chandrachud responded that the political wisdom of the action is not questioned but he pointed out that terrorists do not apply for mobile number and therefore it is not necessary to ask everyone to disclose their Aadhaar number to obtain a mobile number.

The AG responded the question is to what extent is the right to privacy invaded. He reiterated it is as minimal as possible and further submitted that as far as demographics are concerned, all of it is available in the public domain and therefore there is no invasion of privacy other than the bare minimal amount. He also stated that this helps in serving large public interest.

The AG then asked if a claim of right to privacy can be raised for the purpose of denying rights covered under s.7 of the Act and pointed out that earlier there were large number of fake cards. Justice Chandrachud stated s.7 is not based on an ‘US v. Them’ argument. He pointed out Ar.21 has two elements- a) economic and b) privacy.

The AG responded both the rights are traceable to the same article and therefore the issue is how to reconcile between them. He referred to a case wherein the court upheld the right to information over the right to privacy. However Justice Sikri pointed out that in the case the court only had to deal with balancing of two rights of the same person.

The AG responded that only the bare minimal amount of information required to satisfy the identity of the individual is collected. He further stated that where Aadhaar is required for ensuring that the vast majority of population have the basic right to life such as shelter, food, there is full justification for the encroachment on the right to privacy, provided it is minimal.

Justice Chandrachud suggested the better argument for the state would be to acknowledge that there is an invasion but that it is proportional to the need. He also said in order to decide if the invasion is minimal or not other factors such as informed consent, purpose for which biometrics is obtained, safeguards that are in place to ensure that it is not leaked out for other purposes should be considered. Justice Bhushan interjected that minimal invasion is purely subjective. The AG responded the bench should look at the information collected from an objective perspective keeping in mind the larger interest of the country.

Justice Chandrachud said proportionality laid down in Justice K. S. Puttuswamy And Anr. V. UoI was in broad terms and therefore it is to be determined how to use it in the case of Aadhaar. He asked if it would mean utilization of data only for the purpose for which it was collected. The AG responded not one extra element of information is collected from the individual than is required for the purpose and further submitted that s.29(1)(a), s.29(1)(b) of the Act stipulate purpose limitation.

Next, Justice Chandrachud mentioned there was no safeguard before the Act came into being and that s.59 of the Act does not provide for retrospective application. Senior Counsel Rakesh Dwivedi submitted that a concept study was performed in rural areas before Aadhaar was decided upon and that Information Technology Act in 2009 empowered the use of Aadhaar for e-commerce.

The hearing will continue on April 10, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXIV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal resumed his arguments for the state. He stated that the policy decisions of the government cannot be the subject matter of any judicial review and that the three organs of the state should mutually respect each other. He further stated that judicial review of every administrative decision will hinder development and that the duty of the court is to expound the language of the act and not decide the fairness of a particular policy.

Justice Sikri pointed out that the petitioners’ are challenging the state’s submission that Aadhaar results in only minimal invasion of privacy and therefore their challenge is based on the principle of proportionality. Mr. Venugopal replied that Aadhaar has a legitimate state interest. However Justice Sikri stated that the bench is not concerned with the policy decision but the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and the Regulations.

Justice Sikri further asked, if Mr. Venugopal is arguing that the Aadhaar system is almost impeccable and the court should not comment what is correct and what is not since the government has already performed extensive research with the help of experts. Mr. Venugopal replied in the affirmative and stated that the entire challenge is based whether the Aadhaar is safe and secure and that it already proved by them.

Next, he discussed the sixteen digit virtual ID. Justice Chandrachud asked if every Aadhaar holder gets one. Mr. Venugopal replied that it is up to the individual to generate one for himself through the UIDAI website. Justice Chandrachud asked if the entire population has the knowledge on how to do it to which Mr. Venugopal replied that it is only an additional measure. Justice Chandrachud suggested that there should be a provision that would enable everyone to have a virtual ID. However Mr. Venugopal stated out that if everyone is provided with one unique virtual ID just like an Aadhaar number, then it would be permanent and pointed out that now it is an ID that can be regenerated each time.

Justice Chandrachud confirmed if the idea behind the virtual ID is to mask the Aadhaar number so that one who is conscious about their privacy will have the option of providing a virtual ID in place of the Aadhaar number and prevent the latter from being in the public domain and AG answered in the affirmative.

Next, Justice Chandrachud stated that the fact that a legislation has adopted a legislative policy might indicate legitimate state interest but the mere fact that it is a policy decision is not sufficient to satisfy the proportionality test. Mr. Venugopal responded that the Aadhaar satisfies the test of proportionality since all possible alternatives were considered before it was adopted and reiterated that the court should not become an approval authority.

Next, Justice Chandrachud raised concerns with the power granted to the registration authority to determine what constitutes biological attributes and how it is to be collected. He said that because of the open-ended nature of biological attributes, in the future, the registration authority can even include DNA under it. He asked if power of this nature would satisfy the test of proportionality. Mr. Venugopal replied that as per s.55 of the Act Parliament would have the overseeing authority. However Justice Chandrachud pointed out that the regulations do not need the approval of the Parliament before it is implemented and that as per s.55 the regulation would be cancelled only if the Parliament disapproves it. Therefore the regulation takes effect as soon it is passed and its effect is not deferred till it is approved by the Parliament. He said this is an issue of excessive delegation. Mr. Venugopal replied that he would address this issue later.

Mr. Venugopal then referred to cases in which the collection of biometric information was decided to be reasonable and submitted that state may have vital interest in the collection of biometric information. Justice Chandrachud pointed out that in the cases referred, the biometrics were collected for a specific purpose such as in the interest of safety, ensuring protection against crime and stated that universal application of fingerprints irrespective of purpose is a violation of the proportionality principle. Mr. Venugopal replied that purposes enumerated under s.7 of the Act as well as other purposes such as prevention of money laundering, terrorism, black money are specific and legitimate state interests.

He then submitted that fingerprints are increasingly being used for non-criminal purposes and is not an unwarranted invasion of privacy.

Next, he submitted that fingerprints cannot be used for surveillance and that it only serves as a means for identification. He further stated that neither the current government nor the previous governments have used it for surveillance in the last seven years.

Next, he compared Aadhaar to SSN. Justice Chandrachud pointed out that SSN is equivalent to PAN card and not Aadhaar as it does not collect biometrics but contains only the name and SSN number. Senior Counsel Shyam Divan pointed out that SSN does not have authentication unlike Aadhaar. However Mr. Venugopal submitted that SSN collects more information than Aadhaar.

The hearing will continue on April 5, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXIII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal submitted the responses by the CEO of Unique Identification Authority of India (UIDAI) to the questions submitted by the petitioners.

Mr. Venugopal read out the questions and answers.

In the first question, the petitioners requested for the figures of authentication failures both at the national and state levels along with a breakup of iris and fingerprints. Mr. Pandey responded that he can not provide the figures at the state level as the UIDAI does not know where the authentication request comes from. However he provided the figures at the national level but specified that a failure does not automatically indicate exclusion or denial of services as the requesting entities are required under law to provide exception handling mechanisms.

Next question dealt with enrollment and authentication processes of a person who is claiming biometric exception and has not provided a mobile number or is currently using a different number. Mr. Pandey responded that in case of persons who are unable to provide biometrics their iris authentication can be used for updating information including mobile number. He pointed out that this was the reason for incorporating multi model enrolment and authentication process in Aadhaar. He mentioned that authentication through mobile number is used as one of the methods in those exceptional scenarios where both iris and fingerprint authentication are impossible and further stated that if mobile number authentication is also not possible, the requesting entities are required to provide their own exception and back up mechanism to ensure delivery of services to Aadhaar holders. He also mentioned that the digitally signed QR code has been implemented to verify Aadhaar card in an offline manner.

S.5 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and Reg.6 of the Aadhaar (Enrollment And Update) Regulations 2016, and Reg.14(i) of the Aadhaar (Authentication) Regulations 2016, were cited as the provisions addressing this issue.

Next question addressed the issue of requirement of parental consent with respect to the enrollment of children between the age of 5 and 15. Mr. Pandey responded that school officials, if permitted, can act as introducer and enroll the students, provided there is parental consent.

In the following question, the petitioners asked if it would be possible for the child to revoke his consent once he attains the age of 18 years. Mr. Pandey responded that it is not permissible under the Aadhaar Act, but that they have the option of permanently locking their biometrics and unlocking it only when required for biometric authentication.

Next question addressed the issue of enrolment done by blacklisted enrolment operators. Mr. Pandey answered that all enrollments that are contrary to the UIDAI process is rejected and the residents are requested to re-enroll.

In the next question, the petitioners asked for the figures of biometric de-duplication rejections that have taken place till date. They also queried regarding the status of the data packets containing stored information upon rejection of enrollments either on grounds of duplications or other technical reasons. Mr. Pandey responded that the total number of biometric de-duplication rejections till March 21, 2018 is 6.91 crore. He specifically stated that the figure pertains only to applications identified as having matching biometrics to an existing Aadhaar holder. He further stated that it is highly improbable that all biometrics (ten finger sand two irises) match unless the same person has applied again. He mentioned that the figure does not indicate that there is an equivalent number of people who have been rejected Aadhaar and pointed out that none of the de-duplication rejects have filed complaints regarding denial of Aadhaar number. He said this indicates that genuine residents have re-enrolled themselves and the rest are the ones who are trying to overreach the Aadhaar system though fraudulent means. He also stated that all the data packets are archived in the Central Identities Data Repository (CIDR) irrespective of whether it was accepted or rejected.

Next question addressed the term “any other appropriate response” under s. 8(4) of the Act. Mr. Pandey responded that it includes e-KYC and limited e-KYC data.

In the subsequent question, the petitioners asked if any UIDAI official verifies the correctness of the documents submitted during enrolment. Mr. Pandey responded that the Registrar is entrusted with the duty of verification of documents and mentioned that the Registrar/enrollment agency have to appoint personnel for the same.

Next question dealt with the probabilistic nature of the biometrics. Mr. Pandey stated that biometric authentication is always performed as 1:1 biometric match against his/her Aadhaar number and therefore it is not probabilistic. He also mentioned the exception processes that are implemented to ensure that no Aadhaar holder is denied service due to failure of authentication. He mentioned that these exception processes can be used in case of senior citizens whose biometrics have changed.

Next question addressed the issue of blacklisting of enrollment operators. Mr. Pandey pointed out that they can be blacklisted on the following grounds: a) illegally charging Aadhaar enrollment, b) poor demographic data quality, c) invalid biometric exceptions, and d) other process malpractice.

In the following question, the petitioners enquired if the point of service (POS) biometric readers are capable of storing biometric information. Mr. Pandey stated that UIDAI has mandated the use of Registered Device (RD) for all authentication requests and that it encrypts the information and therefore rules out the possibility of use of the stored biometric information. He further stated that Reg.17(1)(a) of Aadhaar (Authentication) Regulations, 2016 makes it unlawful for requesting entities to store biometrics captured during authentication.

In the next question, the petitioners asked if authentication user/ service agencies record the date, time, and purpose of authentication, the device ID and the client IP. Mr. Pandey responded that the UIDAI does not request these entities to collect any of these information. However he mentioned that authentication user agencies such as banks may store such additional information under their respective laws to secure their systems. He further mentioned that Reg.18 of Aadhaar (Authentication) Regulations, 2016 stipulates the information that is to be collected by the requesting entities and that only such information will be audited by the UIDAI even if the requesting entity collects additional information.

In the final question, the petitioners asked if the UIDAI can trace the specific device and location from which authentication takes place. Mr, Pandey responded that the UIDAI does not get information regarding the IP addressor GPS location and that it only knows the device through which the authentication has happened. He specifically mentioned that the UIDAI does not know the location at which the authentication device is deployed.

Next, Mr. Venugopal stated that Aadhaar is an evolving technology and that all other alternatives including the use of smart cards were investigated previously. He further stated that if there are defects in the Act it could be rectified. He reiterated that Aadhaar project has received wide scale appreciation including from the UN and the World Bank. He stressed that it is a unique identity that can be used for all purposes.

He further stated that Aadhaar is a policy decision by the government and therefore courts cannot interfere in it.

Next, referring to Justice K. S. Puttuswamy & Anr. v. UoI and Ors, Mr. Venugopal submitted that Aadhaar satisfies all the conditions laid down in the case for legitimate invasion of privacy. He submitted that there is a legislation, legitimate state interest and a reasonable nexus between the means used and the objects sought to be achieved. He further submitted that if a law is valid and constitutional but its implementation is unlawful, the law couldn’t be struck down as unconstitutional merely on that ground. He stated that tremendous effort has been made to ensure that invasion of privacy by the Aadhaar project is as minimal as possible and that the law could not have been structured in a better manner to have a lesser impact on privacy.

Next, he referred to Justice Chandrachud’s judgment in Puttuswamy discussing Srikrishna Committee’s report on data privacy. He stated that whatever more has to be done to ensure data protection would be addressed by the Committee and pointed out that Mr. Pandey is also on the committee.

Next, he submitted that according to Justice Chalmeshwar’s and Justice Bobde’s opinions in Puttuswamy judgment privacy is not an absolute right and can be invaded by laws that satisfy the just, fair, and reasonable standard. He cited the Right to Information Act as an example for a reasonable restriction on the right to privacy in light of public interest.

Mr. Venugopal then applied the privacy judgment to Aadhaar. He reiterated that as per the judgment, privacy is not an absolute right and referred to the three conditions laid down in Justice Chandrachud’s judgment that would legitimize the invasion of privacy. He submitted that Aadhaar satisfies all the three conditions- existence of aw, legitimate state interest, and proportionality.

He stated that the Aadhaar Act is a just, fair and reasonable law as it only results in minimal invasion of privacy. He further stated that it is passed in pursuance of a larger public interest including prevention of dissipation of social welfare benefits, black money, money laundering, income tax fraud, and terrorism. He submitted that the judiciary cannot question the value judgment of the legislature and that all of the aforementioned are legitimate state interests. He also argued that the right to live a life with dignity trumps the right to privacy and pointed out that subsidies under s.7 of the Act are integral to live a dignified life.

Mr. Venugopal reiterated that before the Act came into existence, Aadhaar enrollment was voluntary and therefore there is no question of violation of rights. He further argued that before the Puttuswamy judgment, neither the government nor the people knew about the right to privacy. However Justice Chandrachud and Justice Bhushan objected to this. Mr. Venugopal argued that before the judgment, the government could not have assumed that right to privacy is a fundamental right. Justice Chandrachud pointed out that the Puttuswamy declared all the judgments prior to it that upheld the right to privacy as correct. Mr. Venugopal, however, argued that those judgments were per incuriam as there were larger benches that held to the contrary. CJI did not agree with this argument.

The hearing will continue on April 4, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Mr. Ajay Bhushan Pandey, the CEO of the Unique Identification Authority of India (UIDAI) resumed his presentation. He began with a discussion on the enrollment operators. Justice Chandrachud asked if its possible for the enrollment agencies to make copies of the data before it is encrypted. Mr. Pandey responded that they do not have access to biometrics as it is collected by UIDAI software. Justice Chandrachud asked if any of the operators have been blacklisted on the grounds of data breach to which Mr. Pandey responded that it would be possible only if the enrollment operator is qualified enough to tamper with the enrolment software and further pointed out that in the event it happens, it is punishable. He further stated that private enrolment agencies are being phased out and that only banks and post offices will be allowed to perform it.

He also highlighted that the central authentication server is not connected to the internet to ensure security of the data.

Justice Bhushan asked if UIDAI is capable of aggregating the data. Mr. Bhushan responded that s.32(3) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) prohibits them from knowing the purpose of authentication.

Next, Justice Chandrachud asked if authentication agencies could be private and if they could store the authentication data and share it. Mr. Bhushan responded that such acts are prohibited under s.29(3) and 38(g) of the Act and Reg.17(1)(d) of the Aadhaar (Authentication) Regulations, 2016. Justice Chandrachud rightly pointed out that the private authentication agencies have a record of the authentication requests even if the UIDAI does not and that it can be misused to profile individuals.

Justice Khanwilkar asked Mr. Bhushan to not discuss the operational aspects in great detail but to clear the apprehensions regarding the Aadhaar software. Mr. Bhushan however responded the software is secure and that there has not been a single data breach till date and requested the court to not believe the media reports. He further stated that the breaches that have occurred are not of UIDAI’s database. Justice Chandrachud interjected that there is no enforceable protection that is available against other databases even if Central Identities Data Repository (CIDR) is completely secure. He also pointed out that unless the high level of security maintained at the CIDR is implemented at the authentication agencies as well, it would be problematic.

Next, Mr. Pandey accessed his authentication history form the UIDAI website and pointed out that information such as location, purpose are not available. He also stated that the provision to access the authentication history allows a person to figure out if his Aadhaar number has been misused.

Next, he successfully demonstrated the withdrawal of Rs.100 from an IDBI bank account using biometrics and said that it is similar to a walking ATM. He mentioned that most people find it difficult to use debit cards and pin numbers and therefore Aadhaar makes it simpler thereby enabling people to be financially included.

He continued to further explain how secure the whole process of authentication is. He stated that the UIDAI no longer collects the Geocode and IP address of authentication. He also stated that a standard practice has been established to display only the last four digits of the Aadhaar number wherever necessary. He further stated that Aadhaar architecture ensure privacy and reiterated that the biometrics is not shared except for purpose of national security and pointed out that no such request has been received from the government so far.

Next, he discussed the authentication metadata elements and said that UIDAI does not collect metadata elements that would enable profiling of individuals. He reiterated that location and purpose of authentication is not collected.

Next, Mr. Pandey screened a short film on security measures available at the data centres.

Then, he discussed the privacy safeguards built into the Aadhaar infrastructure like virtual id, UID token, purpose and use limitation, online access to authentication history, biometrics lock. He stated that further safeguards could be adopted if there are concerns regarding the privacy and security of Aadhaar data. Justice Sikri interjected and pointed out that illiterate people cannot be expected to use virtual ID. Mr. Pandey responded that it is just a safeguard in addition to the Act.

Next, Justice Sikri asked if authentication agencies and requesting entities store the authentication logs. Mr. Pandey responded that they store the details except the biometrics. He further mentioned that these agencies are audited either by the UIDAI itself or by an agency appointed by them to ensure smooth functioning of the whole system.

Mr. Pandey, next, stated that experts have advised to use multi model biometrics authentication such as a combination of iris scan and fingerprints for identification and authentication as they are of the opinion that fingerprints might not work in all instances. The bench responded that such arguments should be made by the Attorney General and not by the CEO of the UIDAI.

Next, Mr. Pandey submitted that the use of virtual ID and UID tokens help in ensuring that the databases are not combined. He distinguished between agencies that require real Aadhaar number such as income tax department and those that do not such as telecom.

The bench asked Mr. Pandey to submit a note explaining the architecture of virtual ID and UID tokens and how they help in preventing de duplication. Mr. Pandey has agreed to the same and in furtherance explained that UID token is a 72 character alpha numeric string generated for system usage and pointed out that different authentication agencies will have different UID tokens thereby making it impossible to identify the Aadhaar number through reverse engineering.

Mr. Pandey distinguished between Aadhaar card and smart card. He said that uniqueness might not be possible in case of smart cards as one person could have multiple smart cards with different identities and same biometrics. In furtherance of this submission, he stated that a central database of biometrics is therefore important to ensure uniqueness. He also stated that identity theft does not occur even if the Aadhaar card is lost whereas it is possible in case of smart cards. Next, he submitted that surveillance is not possible with CIDR as silos of information are not combined whereas it can be performed in case of smart cards by merging databases.

Referring to the smart card system used in Singapore, Mr. Pandey stated that storing a lot of information on the smart card is not a great idea. He further pointed out changing the encryption on a smart card form time to time is not feasible and stated that offline smart cards cannot substitute online authentication.

Next, the CJI asked if there is any scope for misuse of data by the enrollment agency or requesting entity. Mr. Pandey responded that the data is encrypted and sent to the CIDR and during the time gap between entering the fingerprint and encryption of the same, the data is captured in the UIDAI’s software and therefore there is no scope for misuse.

Mr. Pandey concluded his presentation by showing a graph depicting the success rate of Aadhaar authentications from 2013-2018 and reiterated that from July 1, 2018 facial recognition will be used along with biometrics to ensure better authentication.

The petitioners submitted a list of questions based on the presentation, which the state will have to answer during the next hearing.

The petitioners also requested the bench to extent the deadline for s.7 benefits in light of the factor that fourteen crore forty eight lakh authentication failures have taken place. The state responded that authentication failures does not amount to denial of services. The CJI refused grant an extension.

The hearing will continue on April 3, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The Attorney General (The AG) submitted the word format of the PowerPoint presentation by the CEO of the Unique Identification Authority of India (UIDAI) to the bench. The bench granted the permission to present the PowerPoint in the afternoon session and permitted the petitioners to submit a questionnaire.

The AG resumed his submissions for the state. He began by referring to the World Bank’s Identification for Development Report (ID4D Report). Referring to the report, he highlighted the importance of unique identity in eradication of poverty and in the attainment of sustainable development goals.

Justice Chandrachud queried about the Aadhaar authentication and enrollment fees to which the AG responded that it is free.

The AG concluded the report by stating that the goal is to achieve compliance with the sustainable development goal of legal identity for all by 2030. He pointed out that India has taken a lead in ensuring compliance with the goal by obtaining 1.2 billion enrollments in the Aadhaar programme.

Next, he submitted to the court a list of dates indicating the history of the Aadhaar programme. He reiterated that it is a well thought out project and not a casual venture and pointed out that various government committees have been working on it since 2006. Justice Sikri said that the dates have no relevance while addressing the issue of constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act).

Mr. Ajay Bhushan Pandey, the CEO of the UIDAI commenced his presentation with a broad outline of what would be covered- the need for identity, enrollment, and authentication, technology used, success rate, fall back mechanism used in the event the authorization is not successful, the methods used to cover deficiencies in the system, Aadhaar security, and current architecture v. smart card.

Mr. Pandey discussed the lack of nationally accepted IDs in the pre-Aadhaar era. He pointed out that getting a ration card was difficult as it required ID proofs and stated that most people did not know how to obtain their first ID. He highlighted that voter IDs and ration cards are region specific. He stated that the scheme of Aadhaar is to address this very issue of lack of a national ID as it is a robust lifetime online verifiable national ID.

Next, he discussed in detail the concept of Aadhaar number. He explained that it is a randomly generated 12-digit number, which once issued is never reissued. He also pointed out that it not linked to citizenship and that every resident is entitled to have an Aadhaar number. He also said that UIDAI collects only very minimal data and contrasted it with the US SSN application.

He further stated that a very wide list of proof of identity and address is allowed to get an Aadhaar and that it is not as stringent as opening a bank account.

Next, he discussed the exceptions that are available to people who are unable to provide biometrics due to injury, deformities, leprosy and stated that Reg.6 of the Aadhaar (Enrolment and Update) Regulations, 2016 provides for biometric exceptions in such instances. He further explained that in case of a person to whom the exception applied, at the time of authentication, a one time password (OTP) would be sent on his registered mobile number which would be entered in the place of biometric authentication. He further added that from July 1st the UIDAI is considering including facial recognition along with fingerprint, iris scan, and OTP. He said that this is from a security point of view and also because the persons to whom the exceptions have applied does not have the required biometrics. He said the requesting entity would have the choice to decide what authentication mechanism they would like to avail.

He also said that enrolment and updating can happen anywhere in the country as it is a portable entitlement and not region specific unlike other IDs. Addressing the issue of data sharing, he stated that data is not shared in the absence of consent unless there is an order by a district judge or if it is required for national security purpose.

Next, he explained how the enrollment agencies are selected. He said that they can be either public or private and that they are empanelled based on certain criteria-primarily the persons in the agency themself should have an Aadhaar, they should have technical training, and should pass the certified operators exam.

Justice Sikri asked if the agencies can save the data collected by them. Mr. Pandey responded that the moment the agencies press the save button the data gets encrypted and he highlighted that it is a 2048 bit encryption key which acts as a number lock and that it would take a super computer 13 billion years to breach the data. He further said that the software and hardware used are Standardization Testing and Quality Certification (STQC) certified and also that the operator is certified and is therefore in the database.

Justice Sikri asked why did the UIDAI de-register many agencies and why were 49,000 enrollers blacklisted. Mr. Pandey responded that it was due to corruption as some of the agencies collected fees for enrollment and also because some of them did not enter the data properly as they were either careless or wanted to harass people. He further stated that the agencies were released if their quality was below 96 percent.

Mr. Pandey also pointed out that the UIDAI works in coordination with the hospitals and collect the data of newborns. Justice Chandrachud pointed out that the World Bank Report states that children below five do not need Aadhaar. Mr. Pandey responded that this is done because they are residents and pointed out that their biometrics are not collected but only their photograph and their parents’ Aadhaar details. He said that their biometrics are initially collected at the age of five and then again at fifteen. Justice Sikri asked how do they collect the biometrics of children to which Mr. Pandey responded that they coordinate with the anganwadis and schools where enrollment camps are set up.

Justice Chandrachud asked what happens when the biometrics change. Mr. Pandey replied that when biometrics, photo, address change, one can update it at the enrollment centre where the old and the new data are compared and if it is found to match it is updated. Justice Sikri said that many people are unaware when their biometrics change and asked how to address this issue as it can result in exclusion. Mr. Pandey replied that in such instances when a person goes for authentication an error will be displayed and an advisory to update the information will be sent.

Justice Chandrachud asked if the UIDAI is only informed of authentication failures and not of denial of services. Mr. Pandey replied that ministries are constantly advised to not solely rely on Aadhaar authentication as might lead to exclusion and pointed out that a circular was issued on Mar.21, 2018 stating the same.

Justice Khanwilkar raised concerns about the software being designed outside India thereby making it prone to tampering. Mr. Pandey replied that only the biometric matching software is licensed form the world’s best companies. He analogized it with banks using SAP and Oracle and said it does not mean that banks give their data to them.

Mr. Pandey also reaffirmed that the biometrics is not shared with the requesting agency. He said that when authentication takes place, the UIDAI does not collect the purpose, location, and details of the transaction. He further stated that four crore authentications takes place everyday but the UIDAI is unaware of the purpose of authentication as the information remains in silos and merging of silos is prohibited.

The hearing will continue on Mar.27, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XX)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The Attorney General K.K.Venugopal (The AG) commenced the arguments on behalf of the state.

Mr. Venugopal commenced by pointing out that there are many technical issues involved in this case regarding security, storage of information. He stated that various expert committees have looked into Aadhaar since 2006 and and had also considered other alternatives such as smart card before finally deciding upon Aadhaar. He pointed out that many countries have already adopted unique identification systems and that the World Bank has also examined it and cited it in its “Identification for Development” report. He said that the world Bank has referred to Aadhaar in the report.

He requested the court’s permission to present a PowerPoint presentation by the CEO of Unique Identification Authority of India (UIDAI) to explain the technical and security aspects of Aadhaar.

CJI responded that the petitioners have argued on privacy, anonymity, dignity, surveillance, aggregation, presumptive criminality, unconstitutional conditions, absence of law, and security and asked the AG to respond to these legal contentions first. Mr. Venugopal responded that the presentation would clarify all the doubts and fears regarding the Aadhaar structure and it would help the state in explaining their legal contentions in a better manner.

The Bench responded that a decision on the presentation would be made later and asked the AG to continue with his submissions.

The AG submitted that large sums of money have been saved by providing benefits and services through the Aadhaar programme. He stated that when the British left India the poverty level was 66 percent and corruption was massive. He argued that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) has been framed to address these issues and to bridge the gap between the rich and the poor. He further argued that the architecture of the Act is such that it would ensure the lowest possible level of invasion of privacy. He also submitted that before the Act, Aadhaar was voluntary and therefore one cannot argue that his voluntary act has resulted in a violation of his fundamental rights.

Referring to Munn v. Illinois, the ratio of which has been accepted by the Indian Supreme Court, he stated that right to life is not a right to a mere animal existence but is the right to live as a human being with full dignity.

Justice Sikri pointed out that its interesting when two rights- right to privacy and right to life- clash and pointed out that in this case right to dignity is invoked by both sides.

CJI stated that liberty cannot be compromised unless it is for certain exceptions like criminality. He then clarified if the AG’s argument was that the individual right to privacy must give way to distributive justice. The AG responded that if one is poor in this country he becomes invisible. Justice Sikri intervened that this argument should be dealt in the context of exclusion to which the AG responded that even though the issue of exclusion has been raised by various NGOs the court has not yet heard from any affected person. Justice Chandrachud intervened that individual rights cannot be made subordinate to distributive justice. The AG responded that the right of people to not die of hunger and have a shelter prevails over the right to privacy. Justice Bhushan however stated that all these rights have to exist and cannot trump the right to privacy.

The AG submitted that here the question is of balancing the rights and not of violation. He reiterated that there can be no question of violation of fundamental rights prior to the Act as no one was coerced to get the Aadhaar but was purely voluntary. Justice Chandrachud pointed out that even if people volunteered to get an Aadhaar they never accepted the commercialization of their personal data.

The AG argued that people from the marginalized communities who became beneficiaries during 2009 and 2016 have not raised any complaints. Justice Sikri in response pointed out that the class of s.7 beneficiaries of the Act is not limited to just the marginalized communities.

The AG submitted that Aadhaar is enabling the right to food, livelihood of millions of residents by proving them with subsidies, benefits, and scholarship. He stated that it is an efficient and transparent means for delivery of services and pointed out that it is only a handful of petitioners who are now challenging it on grounds of privacy.

Referring to the statement of objects of the Act, he submitted that the objective of the Act is to ensure targeted delivery for genuine beneficiaries and therefore it furthers the right to life of poor people in India and also advances the Directive Principles.

The AG then referred to the Wadhwa Committee Report referred to in PUCL v. UoI, which recommended computerization of public distribution services. He referred to the relevant part of the judgment where the court asked Mr. Nandan Nilekani to suggest ways for computerization and stated that it is Mr. Nilekani who has conceptualized UIDAI.

Next, he submitted that s.12 of the National Food Security Act envisages Aadhaar for targeted distribution and transparent delivery of food grains. He then referred to relevant part of Binoy Viswam v. UoI which endorsed that Aadhaar prevents multiple identities and provides for one unique identity. He referred to relevant excerpts of the judgment which rejected the Article 14 challenge to Aadhaar and endorsed it as the most robust way to prevent duplication.

Justice Sikri pointed out that pension is a right and asked how it would fall within the scope of s.7 of the Act. The AG responded that there are fake pension cards as well. However Justice Sikri stated that it has to be discussed in the context of exclusion, in response to which the AG reiterated that the court has not yet heard from anyone who has been excluded.

Justice Chandrachud asked how would a pensioner residing abroad with his children receive his pension, as he would not be able to produce his aadhaar card in person. The AG pointed out that the Aadhaar is only required for residents and stated that there must be a separate provision in the Pension Act dealing with NRIs. He said that such a person would not be covered by the Aadhaar Act.

Justice Chandrachud pointed out that pension accounts are individual accounts and therefore there is no question of impersonation. Responding to this the AG referred to the World Bank Report which stated that unique identification should be made universal.

Next, Justice Chandrachud pointed out that pension is an entitlement and therefore would not come under “subsidies, benefits, and services” and s.7 of the Act. The AG responded that pension comes from the consolidated fund and therefore it is covered.

Justice Chandrachud stated that the problem of financial exclusion in our country is undeniable and pointed out that the Cabinet Secretary has also acknowledged it. He said the he wants the government to come upfront about it and inform the court what measures have been taken to address the issue. The AG stated that exclusion cannot be a ground for striking down the whole project and also agreed to submit before the court the measures that have been adopted.

Referring to the World Bank’s Identification for Development Report, he reiterated that Aadhaar is the only mechanism that can ensure development. He argued that official identification is a fundamental human right and it helps in ensuring economic development, participation in electoral process, and helps the government in providing benefits to the people. He submitted that it is a key enabler of sustainable development goals.

Justice Sikri asked if the purpose of aadhaar is to establish identity and ensure that there are no fake cards, where is the need for centralization of data to ensure it. He further pointed out that in Singapore every citizen is required to have a unique identity but it is chip based and is not stored with the government. The AG replied that smart card was considered but it is not feasible in the Indian context.

The hearing will continue on the 22nd of March, 2018 (Thursday).

 

SC Constitution Bench on Aadhaar – Final Hearing (Day XIX) (Part II)

By Arpita Biswas

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The next petitioners were represented by Senior Counsel PV Surendranath.
He stated that there was a direct impact of violation caused by the Aadhaar programme. He stated that there had been a direct impact of violation of Article 21 and that the Aadhaar programme would also not pass the test of rationality.
He also stated that after biometric and democratic data had been divulged, a citizen would have no control over their data and it would amount to a unilateral decision. He also commented on the irrationality and the unreliability of the concept of the programme.
He then moved on to discuss the reliability of fingerprints, referring to the FBI’s 2004 statement (relating to Brandon Mayfield).
Mr. Surendranath concluded his submission and Senior Counsel C.U. Singh commenced with his submission.
He discussed the Convention on the Rights of Children and child rights in relation to Aadhaar. He discussed Article 8 and 13 of the Convention. He also discussed the Juvenile Justice Act of 2015 in this regard. He stated that the rights of children to privacy are expressly protected under the Protection of Children from Sexual Offences Act and the Juvenile Justice Act.
Mr. Surendranath went on to read out relevant provisions of the Juvenile Justice Act. Further he stated that a child in India had no right to give consent and right to enter into a contract. In this regard, he referred to relevant provisions of the Indian Contract Act. He questioned how a child could be made subject to a permanent system of Aadhaar if they could not operate their own bank account.
Further, he stated that mandating Aadhaar in certain aspects was also affecting a ‘fundamental right to education’ and subjecting it to parliamentary legislation. All these aspects were taking away the rights of children.
Referring to the Justice Kishan Kaul’s judgment in Puttaswamy, he briefly discussed privacy qua the rights of the child.
Moving on, he discussed the Aadhaar Act. He discussed exclusion under Section 7 of the Aadhaar Act and stated that the Act had become a tool for exclusion rather than a tool for inclusion.
On the issue of personal data and security breaches, he stated that the Courts intervention was called for. He also stated that alternatives to the current system should be considered, specifically implementations which are necessary and less intrusive.
Further he discussed mid-day meal schemes and the requirement of Aadhaar and also how the programme affects the most vulnerable sections of the society.
Mr. Surendranath concluded his submission and Senior Counsel Sanjay Hegde commenced with his submission.
He stated that the mandatory nature of Aadhaar went against certain religious beliefs. He commented on the concept of a ‘conscientious objector’ and the right of conscience. He also stated that the petitioner could not conscientiously be asked to follow their religious faith and apply to Aadhaar, since it wasn’t in line with their faith.
Justice Chandrachud questioned if a persons conscience could disallow them from enrolling for income tax.
In response, the Counsel commented on the requirement of helmets for Sikhs.
Chief Justice Dipak Misra referred to Article 25 stating that the application would be independent of our individual concerns.
Further, Mr. Hegde commented on ‘conscientious objection’ in the context of the World Wars and exclusion from military service.
Justice Sikri stated that the Bench would consider the argument.
Senior Counsel Hegde concluded his submission and Counsel Jayna Kothari commenced her submission.
 
She stated that her submission would discuss how the rights of people from the transgender community would be affected by Aadhaar.
She stated that the definition of biometric information in the Aadhaar Act could be amended and that requirements like DNA could also be introduced someday. She stated that demographic information includes information relating to name, date of birth, etc. She stated that while the Aadhaar enrolment form had provisions for identifying as transgender, the PAN card didn’t and other forms of identification did not. This would create issues for filing income tax returns.
She also stated that there was no uniformity in gender identity and that there would not be similar identities across systems.
Further, she stated that to identify as transgender under the Aadhaar Act, a citizen would have to produce other documents in support. She stated that to be able to identify as transgender, certain identification systems also required transpeople to have first undergone medical reassignment surgery. This would be disadvantageous for transpeople who would choose to not undergo gender reassignment surgery and also those who were in the process. She stated that a right to gender identity was guaranteed under Article 21 of the Constitution.
She also stated that tying the grant of benefits to Aadhaar would also imply that people may have to reveal their gender identity’s by force. Referring to the Puttaswamy judgment, she stated that there were some markers which should be specifically prohibited, like caste and also gender identity. She stated that this mandatory requirement would possibly threaten the lives of trans people and open them to abuse. She referred to Section 377 of the IPC and the Telangana Eunuchs Act in this regard.
Referring to a decision by the Supreme Court of Phillipines, she referred to the national computerised identification system which was similar to Aadhaar and was attempted to be instituted in the ‘90s. However, the Supreme Court invalidated the programme on the grounds of privacy.
Lastly, she also commented on the requirement of Aadhaar for HIV treatment.
She concluded her submission and Counsel Prasanth Sugathan commenced his submission.
He discussed the requirement of Aadhaar and how the cumbersome procedure affected those who were already in a disadvantaged position. He also commented on how the Aadhaar programme affected the financial services available to NRI’s.
Mr. Sugathan concluded his submission and Ms. N.S. Nappinai commenced her submission.
She stated that the entire Aadhaar scheme was being put forward on the scheme of national security and referred to the Talinn manual in this regard.
She referred to the concept of national security, and life and liberty in Romania and Canada. She also discussed the kill switch argument being used with regard to internal threat. She also stated that digital ghettoisation was taking place.
The petitioners have concluded with their submissions and the respondents will commence on the 21st of March, 2018.
Arpita Biswas is a Programme Officer at the Centre for Communication Governance at National Law University Delhi

SC Constitution Bench on Aadhaar – Final Hearing (Day XIX) (Part I)

By Arpita Biswas

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Senior Counsel Meenakshi Arora continued with her submissions.
She stated that the collection of data under the Aadhaar project was grossly disproportionate. She also stated that the  collection and retention of data should be subject to purpose limitation, in the absence of which mass surveillance and profiling could become prevalent.
She referred to the case of Digital Rights vs. Ireland discussing the effect this judgment had on the retention of metadata.
She stated that the the law required the service provider to retain the communication and not the content of the communication. She also referred to excerpts wherein the data retained made it possible to identify users and communication equipment. In addition she stated that the data taken as a whole allowed precise identification, including daily movements and other sensitive information. She stated that if a citizen had the ‘feeling’ that their private lives were likely to be surveilled, it should be enough of a concern.
Moving on, Ms. Arora discussed the difference between general warrants and specific warrants. She stated that the Aadhaar Act was in the nature of a general warrant, and not a specific warrant. Referring to Justice Nariman judgment in Puttaswamy vs. Union of India, she stated that general warrants were considered to be ‘bad’ and that ideally a warrant should be specific in nature.
She then discussed the cases Szabo vs. Hungary and a case by the German Federal Court. Referring to the latter, she stated that the German Court held that 6 months was too long for data to be stored, comparing it to Indian standard of 7 years.
Referring to a judgment by the German Constitutional Court, she stated that storing communication without cause would create the apprehension of being watched.
She then moved on to discuss a United Nations General Assembly resolutions (16th November, 2016), stating that while metadata could provide benefits, certain kind of metadata could reveal sensitive information.
She then discussed Puttuswamy vs. Union of India, stating that there was no place for a ‘big brother’ in this democracy.  Referring to an affidavit filed, she stated that surveillance by the CIDR with the use of aggregated data from the Aadhaar project was a possibility.
She stated that this form of surveillance could only take place in a state that does not follow the law. She stated that laws should be formulated in a way to ensure that those elected in the future cannot abuse their power. She stated that protection was not meant to be immediate, but long lasting.
She also stated that the collection, aggregation and retention of data on a mass scale had no purpose for Aadhaar. This conclusion could also be reached at by applying the general/specific warrant test and the proportionality test.
She questioned the validity of a national legislation which covered, in a general manner, all subscribers as generalised users. She stated that there was no stated objective for the same and no strict necessity either. Further on the issue of necessity and proportionality, she questioned if it was proportionate to link a large number of services to Aadhaar.
Referring to Section 7 of the Act, Ms. Arora discussed the proviso with regard to alternate means of identification. She questioned why alternate forms of identification would not be good enough for benefits and subsidies, since they were good enough to procure Aadhaar identification.
Chief Justice Misra commented on the interpretation of these provisions, stating that they the petitioners were ‘reading up’ the provision.
Ms. Arora went on to discuss the Canara Bank judgment. She also discussed the absence of data protection and security provisions and its effects on the Aadhaar project. Referring to a UN document, she stated that individuals often do not provide explicit and informed consent and that sharing of sensitive data had become increasingly common.
Further, she went on to discuss judicial supervision in the context of the Act and the ‘political nature of the authorisation’.
She also discussed the chilling effect the Aadhaar project had had on the exercise of fundamental rights. Further, she discussed Bentham’s Panopticon model and the nature of a surveillance state. She also referred to the creation of an asymmetry of knowledge, and the state aiding in the creation of docile bodies.
Lastly, she stated that the Aadhaar project infringed on the right to dignity of an individual and that the Magna Carta recognised that every human being was entitled to an identity.  She stated that in this system, citizens did not have control over their own identities. She commented on Aadhaar being the sole means of identification and stated that it altered the relationship between the state and its subject.
Senior Counsel Meenakshi Arora concluded her arguments and Senior Counsel Sajan Poovayya commenced his arguments.
He started off by referring to a 1983 German federal court case on data submission and discussed ‘compelling state interest’ in this regard. He stated that when the same legislation was in the domain of ‘brick and mortar’ it would be viewed differently than a legislation about different technology.
He then discussed the shift in technology over decades and the perils of the Aadhaar Act.  He stated that technology disrupts itself often, and new technology comes into force. He stated that even assuming that there was a compelling state interest in Aadhaar, the interest would be that the resident has to receive subsidies. He stated that the there was no need for a precise identity for the use of subsidies from consolidated funds. Lastly, he stated that the interest had to be achieved in the least intrusive manner.
He briefly discussed the case of Chintaman Rao.
The discussion then moved on to biometric information. He stated that assuming that biometrics were a good form of identification, it would still be problematic for the Aadhaar programme because the best technology is meant to be the least prescriptive. Drawing on the instance of a credit card, he stated that credit card chips can store data in a much more credible way and is a cost-efficient alternative as well.
He stated that similar to information stored on a credit card chip, biometric information could be stored on an external chip as well. At the time of availing subsidies and benefits, these cards could be produced and the person could place their thumb print and verify through the chip. He stated that that seemed to be the least intrusive method, since personal information would remain with the individual and not in a centralized database. Referring to the 9 judge bench decision of Puttaswamy vs. Union of India, he stated that informational self determination was an important consideration and that the use would have to be limited to a specific purpose for self determination to be intact.
Further on this issue, he stated that the test was not possibility of misuse, rather the consideration was seeking lesser intrusive ways to collect information.
He referred to the failure rates of the Aadhaar programme, stating that the probability test would become much more certain when only the thumb prints were on the card.
He moved on to his second submission, questioning if biometric methodology was the only methodology in use. He stated that certain forms of biometric identification had been long in use, and that there seemed to be limited compelling state interest to mandate biometric identification.
He also stated that under Section 57, what construes biometric data can be amended too. Further he stated that seemingly ordinary practices could become intrusive in the technological world. A legislature could permit more intrusive ways of identification, Mr. Poovayya illustrated the case of DNA or bone marrow being used in the future.
Referring back to a German decision from 1983, he stated that the speed of computation technology has grown exponentially from millions to billions. Citing this case, he explained the difference between personal data being collected as opposed to statistical data.
He also stated that the Aadhaar programme was not the same as the census, since the Parliament would only allow government servants to deal with data. He questioned why personal data in the Aadhaar programme was not afforded this kind of protection.
Lastly, he also discussed handing over sensitive personal data to software companies and data retention policies.
Arpita Biswas is a Programme Officer at the Centre for Communication Governance at National Law University Delhi

SC Constitution Bench on Aadhaar – Final Hearing (Day XVIII)

By Arpita Biswas

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Senior Counsel K.V. Viswanathan continued with his submissions.
He discussed PDS irregularities related to Aadhaar.
He also discussed the case of Marper, citing to establish that several misleading statistics had been used by the parties.  He stated that several statistics were considered and rejected by the Court. Similarly, he urged the Bench to consider the statistics on Aadhaar’s success which would be presented by the respondents.
He then went on to discuss the case of Peck vs. The United Kingdom. He stated that the examination of alternate means in this case was mandatory. He also stated that the court noted that the council had other options available to it.
Mr. Viswanathan also discussed ‘excessive delegation’ under the Aadhaar Act. In this regard he stated that the Act does not lay down any guidelines and there was no right of hearing against omission of Aadhaar numbers, in addition to other such aspects.
Mr. Viswanathan concluded his arguments and Senior Counsel Anand Grover commenced with his submission.
His first submission was that the whole architecture of Aadhaar was beyond the Act since data was allowed to move outside the CIDR.
He also commented on the private nature of enrolling agencies and other related bodies, as has been stressed on earlier in the hearings.
He stated that all these factors could contribute to a serious breach of privacy.
Moving on, he discussed the Aadhaar Act and what was allowed to be collected under the Act. While the Act allows for the collection of biometric demographics, the data collected in real time went beyond just the demographics. Mr. Grover stated that often factors like caste were collected as well. He stated that the data was  segregated and sent to the state and the CIDR separately. He also stated that the UIDAI had a proactive role in this form of data collection.
On the issue of data destruction, Mr. Grover stated that the hard disk and the server would have to be destroyed to ensure the complete removal of data, implying that the data removal technique in use now was technique.
He also stated that privacy had to be preserved and that data leakages into the public domain would have to be prevented as well.
Referring to the state resident data hubs, he stated that biometric data was made available for private and unregulated use as well. Further, he stated that registrars retain biometric information as well and that the CIDR would also be absolved of any liability.
Reiterating the issue of collecting details about caste, he stated that state resident data hubs could collect and use such data for their own analyses, as has happened previously in Maharashtra.
He stated that permanent deletion of data was not a simple process and that the union should have to furnish evidence of such deletion.
He also stated that the architecture of the CIDR was such that unauthorised entities had easy access as well.
Mr. Grover then went on to discuss the inaccurate nature of fingerprints and iris scans.

Further on the Aadhaar Act he stated that no one could file complaints under the Act and that the biometric system allowed for exclusion. He reiterated that private agencies had access to personal information of third parties
On the issue of data retention, he stated that there was a complete failure to ensure the security of data. He also stated that data retained its private nature at all stages.
On the issue of authentication, he stated that authentication was only meant to be conducted through registered devices, however, unregistered devices have also reportedly been used.

Mr. Grover further discussed the Aadhaar Act, focussing on Section 23(2)(m) and data security regulations.
He discussed the likelihood of how e-governance systems would function and the effects on essential supplies. Using the example of electricity supplies, he stated that e-governance systems often categorised areas and that rural areas could be on the lowest rung of the categorisation. This would imply that rural areas would receive lesser resources.
The Bench questioned whether Mr. Grover was referring to a system of categorisation or prioritisation.
Mr. Grover stated that the system took the form of prioritisation.
He stated that the determination of such matters would then be carried out by technologically driven code, and that it was impossible to understand the technology. He questioned how it could be determined, stating that it could amount to a violation of rights by virtue of use of technology. He stated that laws are written into self-executing codes and Aadhaar data would never be neutral to all citizens. He stated that even if there was no active discrimination, there could still be differential treatment by virtue of the technology.
He remarked on the excessive delegation of the Aadhaar Act and the interim orders passed in 2015, stating that the executive could not override the Court’s orders.
On the issue of privacy, he commented on purpose specific use limitations and discussed the PUCL guidelines and the case of United States vs. Resting House.
He stated that the Aadhaar Act had no safeguards and that prohibited acts were being carried out with impunity. He also stated that the UIDAI had facilitated data transfer in contravention of the Act. He also reiterated that the data could not be permanently destroyed. Lastly, he stated that a solution would be to carry out an audit of the Aadhaar project or prove that one had been carried out.
Mr. Grover concluded his arguments and Senior Counsel Meenakshi Arora commenced her submission.
She stated that her submission would look into 3 aspects. First, her submission would look into data collection, profiling and surveillance.  Next, she stated that dignity and identity were important aspects and could not be denied.
Referring to the judgment of Kharak Singh, she discussed physical individual surveillance, targeted surveillance and mass surveillance. On mass surveillance, she stated that other jurisdictions had also recognised the effects of mass surveillance. Relying on the judgment of Marper, she stated that it was not merely a matter of surveillance but also an apprehension of the fact that there could be future use of certain data.
Referring to an ECHR judgment, he stated that data was required to be destroyed and the concern was not with regard to real time surveillance. He also stated that data could be in the hands of authority that could have the propensity of using it and there could be an apprehension of use as well.
She stated that with reference to the linkage of Aadhaar, the Union had claimed that the law was to avoid all forms of  fraud, evasion, terrorism and that it was necessary for preventive measure. Ms. Arora also commented on the quality of the law.
Chief Justice Misra stated the Indian judiciary has not used the phrase ‘the quality of law’ since it brings morality into picture.
Justice Chandrachud commented that the ‘quality of law’ implied that the test of necessity, foreseeability and accessibility would apply.
The hearing will continue on the 20th of March (Tuesday).
Arpita Biswas is a Programme Officer at the Centre for Communication Governance at National Law University Delhi

SC Constitution Bench on Aadhaar – Final Hearing (Day XVII)

By Arpita Biswas

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Mr. Viswanathan continued his arguments on the invalidity of Section 59 of the Aadhaar Act. He stated that there was no informed consent in instances of enrolment from 2009-2016 and several other procedural safeguards were lacking. He also stated that a ‘legislative declaration of facts is not beyond the scope of judicial scrutiny’. He relied on Indra Sawhney vs. Union of India, (2000) 1 SCC 168.

Justice Chandrachud questioned what the consequences of invalidating Section 59 would be, and further questioned if all data between 2009-16 would also stand invalidated as a result.

Mr. Viswanathan responded, stating that the data should stand invalidated and should be destroyed, as consent could not be given retroactively. He stated that it was a matter of human rights in terms of personal search, and further referred to a case on gynaecological examination done without informed consent.

He then went on to discuss collection of data and the mandatory nature of Aadhaar.

He stated that data could not be bartered or forced to be bartered.

Referring to the Ahmedabad St. Xavier’s College Society v State of Gujarat case, he stated that one could not be forced to barter away their fundamental rights. He then referred to a South African case (Jordan vs. State) on bodily privacy. He also referred to the Planned Parenthood case and Roe vs. Wade.

Moving on to the argument on handing over sensitive data to states as opposed to private parties, he stated that the state should be held to a higher degree of scrutiny and that the principle of proportionality would be relevant in this regard.

Referring to the recent judgment on passive euthanasia (Common Cause vs. Union of India), he questioned whether the citizens were ‘guinea pigs’ for the UIDAI and the Union.

He also stated that the UIDAI should be requested to hand over numbers on errors of biometric authentication. Further, he stated that there was an undue burden on people to authenticate, which was unconstitutional.

Referring back to the Common Cause judgment, he discussed the portions on free and informed and the right to die and the duty to live.

He also discussed the ECHR judgment of MK vs. France, stating that the whole population’s identities could not be stored to justify the detection of fraudulent identities. Drawing out a hypothetical situation, he questioned whether maintaining a database with DNA samples of males could be a justification to prevent sexual violence.

Mr. Viswanathan then proceeded to read out excerpts from the Marper case.

He referred to the point of enrolling agents being private entities and the lack of judicial oversight. He also referred to the Bombay Habitual Offenders Act to make a point on the lack of independent oversight during enrolment.

Referring to Justice Brandeis’ dissenting judgment in Olmstead vs. US, he stated that the state could not be allowed to become a law breaker in order to catch a law breaker.

On the issue of storage, he stated that there was no specific statutory backing and that there seemed to be no mandate to store such data in the CIDR. He also stated that the inability to access one’s own biometric data was in violation of Article 19 and 21 of the Constitution.

Further, he stated that the Act lacked a purpose limitation. He also stated that the state had failed at discharging off its burden.

Moving on, Mr. Viswanathan stated that Section 7 of the Act was unconstitutional. He also stated that Aadhaar had the capacity to do grave damage.

On the point of exclusion caused by Section 7, he stated that this was not merely a question of poor implementation but was also a fault of the law. He referred to the reported case of inadequate server capacity and the subsequent authentication failure in Rajasthan.

He reiterated that there was an undue burden being created on the citizens.

Referring to the spousal notification requirement in the case Whole Woman’s Health v Hellerstadt, 136 S.Ct. 2292 (2016), he discussed the respondent’s submission, stating that the notification requirement would only affect 1 % of women and would not impose a problem on the majority of women. The Court in this case disagreed with the submission, stating that the fact that a majority of the population would be unaffected did not validate the notification.

He also referred to the Vijaysingh Chandubha Jadeja vs State of Gujarat case of 2011.

Lastly, he discussed smart cards and their efficiency. He also discussed the issue of leakages, stating that even in instances where Aadhaar had not been issued, it had been claimed that leakages had been prevented. He also discussed the issue of PDS irregularities.

Mr. Viswanathan will conclude his arguments in the next hearing.

Arpita Biswas is a Programme Officer at the Centre for Communication Governance at National Law University Delhi