In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.
Rakesh Dwivedi resumed his arguments for the Respondents. He began with stating that if there were problems with the system, they should be fixed, rather than the system being demolished completely. He argued that under Section 8 of the Act, the sharing and use of information was confined specifically to the authentication process. He further argued that the mandate of Section 29 states that core biometrics cannot be shared.
Justice Chandrachud asked how the UIDAI planned to control the Requesting Entities. The Counsel responded that control could be in terms of technical specifications of the devices, mandating approved software, mandating information systems audits etc.
In response to Justice Chandrachud’s query about the framing of Sections 8 and 29, the Counsel reiterated that the sharing of information would be limited to the process of authentication. Further, only non biometric information could be shared under Section 29.
Next, there was some disagreement between the counsel and Justice Chandrachud on the interpretation of Section 8. The Counsel stated that the Requesting Entity would not know the purpose for the authentication, but only that authentication had been done. Justice Chandrachud stated that that could be true for UIDAI, but it was uncertain if that would be true for Requesting Entities. According to him, the language of the Act didn’t conform to this design. Justice Sikri added that that would also render Section 8(3) redundant. The Counsel responded that the Bench could chose to read the Act in that way.
Justice Chandrachud then gave an example of an individual who goes to the hospital for certain services. The hospital sought authentication for him, 122 days out in 6 months. He noted that that would be potentially extremely valuable information for pharmaceutical companies, insurance providers etc. Until there was a data protection law, this could be a problem.
The counsel responded that no other jurisdiction has the sort of protections that the Aadhaar Act provides. Justice Chandrachud asked if the protection under the Act was all the data protection the citizens of India would ever need. He also gave the example of the European Union’s General Data Protection Regulation as an example of a comprehensive framework for data protection. The Counsel replied that the Aadhaar Act was sufficient, and in many ways superior. According to him, the GDPR has no penal provisions, and the States have to enact their own, which creates a patchwork. The Counsel argued that the Aadhaar framework has technological security, auditing, as well as penal provisions in place. He went on to say that there could never be 100% surety about anything. The standard to be sought was that of reasonable safeguards, and reasonable protection. He noted that none of the Petitioners had pointed out what more could be done.
Justice Chandrachud then noted that according to the Counsel’s reading, Sections 8(3) and 29(3) could be excised from the Act. The Counsel responded that nothing needed to be excised from the Act, only clarified. Further, there was no intent, purpose, or objective in the Act to allow aggregation of data, its analysis or transfer. In addition, any breach of the provisions would be punitive.
Justice Chandrachud observed that it is hard to predict commercial ingenuity, and it wouldn’t be possible to tell what use the Requesting Entities could make of the data with them. Justice Sikri interjected with the earlier hospital example, noting that the hospital would already have the data about medical treatments of the patients, and may not need Aadhaar to get that information. The main apprehension was one of misuse. The counsel agreed, questioning whether Aadhaar was adding to the problem, or making it worse in any way.
Justice Chandrachud noted that they must evaluate what safeguards can be introduced. He noted that data about individuals was now being used to influence electoral outcomes.
The counsel responded that Cambridge Analytica should not be brought into the discussion, because the nature of the data was different. Justice Chandrachud interjected, stating that that incident was symptomatic of the present times. The counsel responded arguing that the algorithms employed were different. There is a difference between matching algorithms (which Aadhaar uses) and sorting algorithms (which these companies use). He argued that there were many different types of algorithms, and the Petitioner’s had confused this distinction. He concluded that the data could not be analyzed by the Respondents. If at all, they would have to go through proper procedure.
The counsel continued, stating that Smart Cards were entrenched technology and that the Smart Card lobby in the West didn’t want Aadhaar to succeed. He claimed that other countries like Singapore were looking to replicate our model.
Justice Chandrachud noted that the issue was that there is a big world that interacts with Aadhaar. He said that the UIDAI might only be the least of their problems, since it is a government entity subject to a lot of scrutiny. The Counsel reiterated that only matching algorithms are used.
Coming back to the Act, the counsel submitted that Requesting Entities cannot be enrolled unless they establish the need for authentication. Justice Chandrachud asked what the purpose behind opening Aadhaar to private players was. In response, the Counsel argued that the nature of the public-private divide was changing. Private companies have been entering fields that were historically the domain of the public sector. The companies are funded by money from Banks, where the people have made deposits. So, it was actually the public that is funding these players. He argued that private players that perform public functions should also be subject to constitutional norms, review and scrutiny. Currently, public companies are subject to many restrictions, such as standards of reasonableness, while no similar shackles apply to private companies. He concluded stating that that was a larger debate for another time. For now, all that was necessary to know is that private players are also regulated by the Act.
The counsel then moved on to responding to the Petitioner’s argument that the Aadhaar framework amounted to the numbering of human beings. Counsel argued that we have been numbering humans for a long time. He cited the PNR number for flights as an example. He also noted that the Supreme Court proximity cards were numbered.
Justice Chandrachud responded that Aadhaar was a unified identity, as opposed to multiple identifying numbers. The counsel responded that just because they were assigning numbers for a specific purpose, didn’t mean that they were numbering people. Further, they were not collecting information such as race, caste etc.
Justice Chandrachud then asked how the Aadhaar became a mandate, from a mere entitlement. The Counsel responded that the Aadhaar was an entitlement, and the UIDAI was mandate neutral. It is the government that notifies that certain linkages are mandatory. Each of these could be examined or challenged separately.
The counsel resumed his arguments after lunch by examining the scope of Section 57. He argued that the objective of the section was not to expand, but to limit power. He submitted that if this limitation did not exist, anyone could become a Requesting Entity. The provision requires that there must be a law, or a prior contract.
Justice Chandrachud asked if once there was a prior contract under Section 57, if the UIDAI would be bound to offer authentication. The Counsel responded that UIDAI could still refuse, and there was a requirement of necessity. Further, this embargo was applicable to anyone, which is why State Resident Data Hubs are no longer possible.
The Bench noted that nothing in the Act seems to give UIDAI this type of discretion, and questioned whether there were any guidelines for how the UIDAI would come to its decisions. The counsel responded that the power came from Section 57. He gave the example of the CBSE, noting that there had been many cases of fraud. The Board could apply to be a Requesting Entity for the purpose of conducting the exam. However, this would require the presence of a prior contract, and it cannot be an ex post facto exercise. He argued that this contract must also state that authentication must be in accordance with Sec. 8 and Part VI of the Aadhaar Act.
The counsel then went on to examine the Information Technology Act, arguing that all the provisions and safeguards under that Act and its Rules would also be applicable. For instance, the CIDR had been notified as a protected system under the Act.
The counsel then discussed the attributes and benefits of biometric data. He argued that Aadhaar brings service providers face to face with the beneficiaries. He noted that Aadhaar would not be a panacea for all problems, but the issue of fake identity documents would be solved.
He then responded to other arguments raised by the Petitioners. In response to the argument that there was no legal mandate to store information in the CIDR, he brought the Bench’s attention to Section 10 of the Act. On the argument of the use of foreign suppliers and licensors, the Counsel responded that the hardware all belonged to the UIDAI, and even technicians only had access when there was some troubleshooting required. In response to the system being probabilistic, he argued that there were appropriate fall back mechanisms under Section 7.
The hearing will continue on April 18, 2018.