As new data privacy regulations spring up around the globe with greater frequency, multinational companies face difficulties not only with complying with a patchwork of requirements, but also with the uncertainty of what these requirements will actually mean and how they will be applied. Sometimes, as is the case in India, it will be courts who eventually fill in the gaps—but even court decisions can create uncertainty.
In 2016, India amended its 2009 biometric identification system, known as Aadhaar, to allow both the government and private entities to collect an individual’s ID number for any purpose, which human rights advocates have decried as a violation of privacy. Despite the growing uncertainty surrounding this authorization, businesses in India continued to require ID numbers for certain services, as well as used the ID numbers for consumer profiling and targeted advertisements.
The Supreme Court of India, however, recently struck down the part of the 2016 Act that allowed private businesses to ask for ID numbers for any purpose. As a result, many businesses will be forced to quickly adjust how they conduct business in India, highlighting that for companies facing ambiguous privacy regulations, erring on the side of greater privacy protections may be the better risk-based course.
What was the ruling?
The Supreme Court of India, in a 4-1 decision, found that Section 57 of the Aadhaar Act—which allowed commercial collection and use of ID numbers—violated the right to privacy because it allowed third parties to obtain, and potentially misuse, consumer data without individual consent for “any purpose,” rather than having those purposes specifically authorized in law. As a result of the holding, the following private-sector-based economic activities cannot be contingent on customers providing their Aadhaar ID number:
- Receiving employee pensions
- Re-verifying cell phone numbers
- Opening a bank account or a credit card
- Investing in a mutual fund
- Obtaining an insurance policy
In addition, companies selling air, train, and movie tickets cannot obtain ID numbers from their customers at all.
What are the implications for businesses operating in India?
The fact that Aadhaar cannot be made mandatory for certain services could have a dramatic impact on e-commerce and fintech companies operating in India, especially because of how this ruling intersects with India’s Know Your Customer (KYC) law. India’s KYC law requires financial companies in India to verify the name and address of their customers. Traditionally, this was done by Indian customers providing proper residential documents at centralized locations. The use of Aadhaar allowed companies to bypass this system and verify customers online, saving both time and money. As a result of the holding, however, companies will be forced to provide a physical alternative to customers who do not wish to link their Aadhaar numbers. The time it takes to physically verify a customer is approximately 5-6 days and costs on average $1.36, while it takes minutes to verify someone online and costs approximately $.02. Yet, companies will have to provide an option for customers to physically be verified in order to comply with both this most recent Supreme Court ruling and India’s KYC law.
While companies will no longer be able to require customers to provide Aadhaar numbers going forward—unless specific authorizations are passed in law—the holding was unclear on what steps companies must take to delink the Aadhaar numbers they already have on file. Presumably, companies will be required to provide a streamlined process to allow customers to delink their Aadhaar numbers from services like their bank accounts and mobile phones. The Unique Identification Authority of India (UIDAI), the government agency responsible for administering Aadhaar, will likely provide guidelines in the coming weeks about what steps companies must take. We can also likely expect a flurry of legislative proposals to authorize the use of Aadhaar numbers in specific circumstances. In the meantime, businesses cannot require Aadhaar numbers. The UIDAI had already filed over 50 formal complaints against businesses for Aadhaar data violations before the Supreme Court’s recent holding and will likely be more aggressive in its enforcement after this ruling.
Risk-based decisions on how much privacy to provide need to be made against the backdrop of accelerating legal trend lines in favor of enhanced privacy protections. Particularly because global privacy regulations—like the GDPR and potentially this ruling in India—don’t allow for the grandfathering of legacy data, global companies may want to decide whether costs of waiting for certainty are greater than the cost of proactively applying—or preparing to apply—greater privacy rights.