Tunisia biometric passports

Supreme Court of India rules to restrict world’s largest digital identity framework (Aadhaar) — but debate continues

Today, 26 September, 2018, a five-judge constitution bench of the Supreme Court of India ruled on multiple challenges raised against Union Government’s Unique Identity Programme (UID), or “Aadhaar”.

In its 1448 page judgement, the Supreme Court ruled on the constitutional validity of the Aadhaar project. Justice Sikri wrote one concurring judgment for himself, Chief Justice Dipak Misra (who is retiring next week), and Justice A.M. Khanwilkar. Justice D.Y. Chandrachud —  who wrote the majority judgment for the Supreme Court of India in its landmark fundamental right to privacy ruling last year — wrote a separate judgment partly concurring and partly dissenting from the judgment authored by Sikri, with Justice Ashok Bhushan writing a separate judgment agreeing with parts of the ruling from the other three judges.

On the larger constitutional validity of the Aadhaar programme, four judges upheld the validity of the Aadhaar project, and one judge (Justice Chandrachud) ruled that the Aadhaar project is unconstitutional on multiple grounds and that the database must be immediately suspended and soon deleted.

What is Aadhaar?

The UID programme, known now by its government brand of “Aadhaar” (a Hindi word that loosely translates to “foundation”),  was established in 2008. It is a unique 12-digit number, meant to be provided to each resident of India, which is linked to a person’s biometric and demographic data. With more than one billion claimed enrollments in India, it is considered the largest biometric-linked national ID system in the world.

When established, authorities said the Aadhaar Unique ID would be voluntary and would help the Indian government achieve the twin objectives of (1) closing gaps in welfare delivery systems through better targeting, and (2) increasing the efficiency of welfare delivery systems by leveraging technology.

Over time, the use of Aadhaar has been tied to multiple services, from distribution of rations, to banking and internet services to international travel and marriage registration. Aadhaar use by private tech firms with respect to their consumer-facing digital services has also been on the rise, and there have been reports of Facebook testing new logins to its platform that would require Aadhaar, and existing implementations across a range of financial tech and other private sector interests in India. Use of Aadhaar has not gone without significant controversy and challenge in India —  the most critical frontier being a set of constitutional challenges to the Aadhaar framework in the Supreme Court of India that were filed in 2012.

Top takeaways from the ruling

Aadhaar is no longer mandatory for some purposes. The mandatory nature and the ubiquity of the Aadhaar programme have been diluted by the Supreme Court. Linkage of the Aadhaar framework with mobile numbers as well as bank accounts has been held unconstitutional, while the mandatory need for Aadhaar for various government services and programmes, such as various examinations under the University Grants Commission (UGC), the National Eligibility and Entrance Test (NEET; for PhD scholars) and the Central Board of Secondary Education (CBSE) exams and school admissions, has been struck down. However, the Union law which requires compulsory linking of Aadhaar to PAN Cards (taxation identity card) has been held valid, since Justice Sikri and his two concurring judges wrote to uphold an earlier judgment he had penned to that effect last year.

Private companies cannot demand Aadhaar. Furthermore, the privatised usage of Aadhaar —  which the court recognises as having potential of commercialisation and profiling of individual data —  has been declared unconstitutional, and now Aadhaar can only be used under specific sanction of law. All laws which provide for such usage of Aadhaar, would also be liable to judicial scrutiny, including tests of “necessity and proportionality”.

Need for “robust” data protection framework has been recognised. While, unfortunately, a majority of the judges found that Aadhaar does not per se conflict with the fundamental right to privacy of citizens in India, the judgments of Justices Sikri and Chandrachud both recognised the urgent need for a comprehensive data protection framework for the next billion users of the internet.

Concerns regarding surveillance through Aadhaar were addressed. The necessary requirement of judicial approval for law enforcement access to Aadhaar data has been added, while striking down relevant provisions in the law. For the first time in Indian law, a requirement has been made that High Court justices will have to be consulted in any data-disclosure request for national security-related data demands from the Aadhaar ecosystem.

Citizens are now allowed to file data breach complaints. The Aadhaar Act contained a provision (Section 47) that said only the Unique ID Authority of India could file criminal complaints alleging violations of the Aadhaar Act. The majority view across the judgments in this case was that this was an unconstitutional arbitrary restriction, and citizens must be allowed to file complaints regarding data breach before Indian courts.

Remaining concerns

Aadhaar is still necessary for government benefits and services. The key concerns emerging from the judgement is the upholding of Section 7 of the Aadhaar Act, 2016 —  which makes Aadhaar-based authentication a pre-condition to issuance of a variety of “subsidy, benefits or services” by the government. This provision has been a source of much concern —  at a principal level — wherein it is argued that essential services must not be held hostage to Aadhaar-based authentication, and at a practical level — wherein people have been deprived of services such as food ration, sometimes leading to deaths, due to improper implementation of Aadhaar. Certain other concerns regarding the implementation of the law such as deletion of information already taken under provisions which now stand as “unconstitutional” also persist.

Access Now is developing guidance on the human rights implications of nationalised digital identity programmes, and providing specific recommendations to ensure that human rights-respecting digital identity frameworks are developed around the world.

Serious digital security risks remain. While the verdict of the Supreme Court seems to address certain areas of concern in the Aadhaar framework in India, there are multiple areas of concern that remain. Justice Chandrachud’s judgment disagreed with several facts proposed by the Government and the UIDAI which Justice Sikri’s judgment had accepted, including the types of data collected by the Aadhaar programme and its profiling and other harm potential for citizens. Justice Chandrachud also emphasised the digital security risks for over a billion Indians raised by the manner in which the UIDAI has operated, the very real threats and intrusion possibilities to the Aadhaar Central ID Repository (CIDR) that stores biometrics in a centralised cloud based system, and went on to hold that Aadhaar directly violated rights to informational privacy, self-determination, and data protection, and had led to exclusion from government services and social welfare.

We will follow up on this initial response to the Aadhaar judgment, including examining the status of the Aadhaar framework in relation to the principles and recommendations Access Now has set out with respect to national digital identity programmes.